Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Misissued/Suspicious Symantec Certificates

23,996 views
Skip to first unread message

Andrew Ayer

unread,
Jan 19, 2017, 3:46:38 PM1/19/17
I. Misissued certificates for example.com

On 2016-07-14, Symantec misissued the following certificates for example.com:

https://crt.sh/?sha256=A8F14F52CC1282D7153A13316E7DA39E6AE37B1A10C16288B9024A9B9DC3C4C6
https://crt.sh/?sha256=8B5956C57FDCF720B6907A4B1BC8CA2E46CD90EAD5C061A426CF48A6117BFBFA
https://crt.sh/?sha256=94482136A1400BC3A1136FECA3E79D4D200E03DD20B245D19F0E78B5679EAF48
https://crt.sh/?sha256=C69AB04C1B20E6FC7861C67476CADDA1DAE7A8DCF6E23E15311C2D2794BFCD11

I confirmed with ICANN, the owner of example.com, that they did not
authorize these certificates. These certificates were already revoked
at the time I found them.


II. Suspicious certificates for domains containing the word "test"

On 2016-11-15 and 2016-10-26, Symantec issued certificates for various
domains containing the word "test" which I strongly suspect were
misissued:

https://crt.sh/?sha256=b81f339b971eb763cfc686adbac5c164b89ad03f8afb55da9604fd0d416bbd21
https://crt.sh/?sha256=f45d090e1bf24738a8e86734aa7acf7c9e65b619eb19660b1f73c9973f11b841
https://crt.sh/?sha256=bcbc26c9e06c4fe1c9e4d55fa27a501c504ea84e23e114b8ac004f7c0776cd0b
https://crt.sh/?sha256=f0935ce297419cc148bde49a7a123f2b2419cdd52df8e7f49e7bba07fe872559
https://crt.sh/?sha256=3601ab49034e69d6e2137a80e511a0640252f444b75d6baca7bf4672c35652a5

I have not attempted to contact the owners of these domains for
confirmation, as doing so is probably not feasible (many of the domains
are owned by squatters). However, the following facts lead to me to
believe that these certificates were misissued:

1. The subject DNs contain clearly bogus values, such as:

C=KR, ST=1, L=1, O=12, OU=1
C=KR, ST=1, L=1, O=1, OU=1
C=KR, ST=1, L=1, O=12, OU=1
C=KR, ST=Test1, L=Test, O=Test

Note that the misissued example.com certificates also contain C=KR in
their subjects.

2. The third certificate in the list above contains a SAN for
DNS:*.crosscert.com - note that three of the misissued example.com
certificates contain "Crosscert" in their Subject Organization.

3. None of these certificates have been observed in the wild by Censys.
The live certificate for www.test.com was issued by Network Solutions.

4. The first two certificates in the list above both contain DNS SANs
for *all* of the following domains:

test.com
test1.com
test2.com
test3.com
test4.com
test5.com
test6.com
test7.com
test8.com
test9.com
test11.com

With the exception of test4.com and test8.com, these domains are
registered to different entities and appear to be wholly unrelated with
one another in both ownership and operation. It is unlikely that the
owners of these domains would collaborate to authorize these
certificates.

These certificates were already revoked at the time I found them.


III. Certificates with O=Test

Finally, Symantec has issued a large number of certificates with the
following attributes in the Subject:

C=KR, ST=test, L=test, O=test, OU=test

e.g.:

https://crt.sh/?sha256=09AECE5B94BBB8A9EE2152FA6FB7261630124918DA015EB3571508EF6D31DD30
https://crt.sh/?sha256=CC0A2AE0EF5B1A6CF242D7B4C77AC9F05B49494B42C8486B47804874734CFC1C
https://crt.sh/?sha256=F177AC0064167354025CE12B3914A0E056628DD31152B5DF22E41913FC9D9B45
https://crt.sh/?sha256=DA7B1D433C071DA7A389EE2A4CAB854B89E441277B41E608F05FB7C7C6B2A761

For more, see:

https://crt.sh/?O=test

I doubt there is an organization named "test" located in "test, Korea."

Regards,
Andrew

Steve Medin

unread,
Jan 19, 2017, 5:46:42 PM1/19/17
to Andrew Ayer, [email protected]
Andrew, thank you for your efforts to report this issue. We are
investigating and will report our resolution, cause analysis, and corrective
actions once complete.

Kind regards,
Steven Medin
PKI Policy Manager, Symantec Corporation

> -----Original Message-----
> From: dev-security-policy [mailto:dev-security-policy-
> bounces+steve_medin=[email protected]] On Behalf Of
> Andrew Ayer
> Sent: Thursday, January 19, 2017 4:46 PM
> To: [email protected]
> Subject: Misissued/Suspicious Symantec Certificates
>
> I. Misissued certificates for example.com
>
> On 2016-07-14, Symantec misissued the following certificates for
> example.com:
>
> https://clicktime.symantec.com/a/1/LyhH99FiQBwyOqKcts8QGJ75k6
> TPEC_N7jOPRSjGhkA=?d=6VMu_T-
> sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx-
> S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7
> mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw-
> s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA-
> 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG
> oYn8PQTT6koyyBuC-
> 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW-
> AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw-
> p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3
> NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D&u=https%3A%2F%2F2.gy-118.workers.dev/%3A443%2Fhttps%2Fcrt.sh%2F%
> 3Fsha256%3DA8F14F52CC1282D7153A13316E7DA39E6AE37B1A10C16288B902
> 4A9B9DC3C4C6
> https://clicktime.symantec.com/a/1/_X1-
> P9bvSq0r_QG43YQ6BwhHeeRl4IrY8ebwWh9HWiQ=?d=6VMu_T-
> sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx-
> S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7
> mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw-
> s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA-
> 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG
> oYn8PQTT6koyyBuC-
> 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW-
> AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw-
> p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3
> NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D&u=https%3A%2F%2F2.gy-118.workers.dev/%3A443%2Fhttps%2Fcrt.sh%2F%
> 3Fsha256%3D8B5956C57FDCF720B6907A4B1BC8CA2E46CD90EAD5C061A426C
> F48A6117BFBFA
> https://clicktime.symantec.com/a/1/1ux2sxPZpTNuRjN4JV5qOj0550
> RDi16i7NLrqi0eFaY=?d=6VMu_T-sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx-
> S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7
> mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw-
> s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA-
> 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG
> oYn8PQTT6koyyBuC-
> 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW-
> AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw-
> p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3
> NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D&u=https%3A%2F%2F2.gy-118.workers.dev/%3A443%2Fhttps%2Fcrt.sh%2F%
> 3Fsha256%3D94482136A1400BC3A1136FECA3E79D4D200E03DD20B245D19F0E
> 78B5679EAF48
> https://clicktime.symantec.com/a/1/YT02EQBzJ13G0VwF_VLruHbKA
> Ep4LXe40icNc0DLwUA=?d=6VMu_T-
> sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx-
> S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7
> mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw-
> s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA-
> 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG
> oYn8PQTT6koyyBuC-
> 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW-
> AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw-
> p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3
> NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D&u=https%3A%2F%2F2.gy-118.workers.dev/%3A443%2Fhttps%2Fcrt.sh%2F%
> 3Fsha256%3DC69AB04C1B20E6FC7861C67476CADDA1DAE7A8DCF6E23E15311
> C2D2794BFCD11
>
> I confirmed with ICANN, the owner of example.com, that they did not
> authorize these certificates. These certificates were already revoked at
the
> time I found them.
>
>
> II. Suspicious certificates for domains containing the word "test"
>
> On 2016-11-15 and 2016-10-26, Symantec issued certificates for various
> domains containing the word "test" which I strongly suspect were
> misissued:
>
> https://clicktime.symantec.com/a/1/_0lsjfT3DHqxu1QJl2eBU5zx948r
> qJmGy-bHkTlww3c=?d=6VMu_T-sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx-
> S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7
> mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw-
> s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA-
> 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG
> oYn8PQTT6koyyBuC-
> 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW-
> AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw-
> p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3
> NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D&u=https%3A%2F%2F2.gy-118.workers.dev/%3A443%2Fhttps%2Fcrt.sh%2F%
> 3Fsha256%3Db81f339b971eb763cfc686adbac5c164b89ad03f8afb55da9604fd0
> d416bbd21
> https://clicktime.symantec.com/a/1/uF90PPzN7N3_lTMmPb8YzXKK
> AfWPKKNmpvo_prjlE3Y=?d=6VMu_T-
> sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx-
> S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7
> mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw-
> s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA-
> 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG
> oYn8PQTT6koyyBuC-
> 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW-
> AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw-
> p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3
> NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D&u=https%3A%2F%2F2.gy-118.workers.dev/%3A443%2Fhttps%2Fcrt.sh%2F%
> 3Fsha256%3Df45d090e1bf24738a8e86734aa7acf7c9e65b619eb19660b1f73c99
> 73f11b841
> https://clicktime.symantec.com/a/1/ezbB2-8KqYUHyXjQx5B-
> Vwf6tJJiGin6RaC_rwMyM7Y=?d=6VMu_T-
> sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx-
> S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7
> mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw-
> s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA-
> 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG
> oYn8PQTT6koyyBuC-
> 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW-
> AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw-
> p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3
> NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D&u=https%3A%2F%2F2.gy-118.workers.dev/%3A443%2Fhttps%2Fcrt.sh%2F%
> 3Fsha256%3Dbcbc26c9e06c4fe1c9e4d55fa27a501c504ea84e23e114b8ac004f7
> c0776cd0b
> https://clicktime.symantec.com/a/1/DvhFK5KhEvCMzdYbMfWcMszP
> yUmwumBtBw7KULICQNk=?d=6VMu_T-
> sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx-
> S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7
> mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw-
> s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA-
> 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG
> oYn8PQTT6koyyBuC-
> 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW-
> AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw-
> p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3
> NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D&u=https%3A%2F%2F2.gy-118.workers.dev/%3A443%2Fhttps%2Fcrt.sh%2F%
> 3Fsha256%3Df0935ce297419cc148bde49a7a123f2b2419cdd52df8e7f49e7bba0
> 7fe872559
> https://clicktime.symantec.com/a/1/bVc-
> 6BOqerbwbrXUNbJu8pE6Vy80A5iky_MQqAMWgaA=?d=6VMu_T-
> sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx-
> S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7
> mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw-
> s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA-
> 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG
> oYn8PQTT6koyyBuC-
> 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW-
> AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw-
> p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3
> NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D&u=https%3A%2F%2F2.gy-118.workers.dev/%3A443%2Fhttps%2Fcrt.sh%2F%
> 3Fsha256%3D3601ab49034e69d6e2137a80e511a0640252f444b75d6baca7bf46
> https://clicktime.symantec.com/a/1/uZoiIkm1yJ-
> wqrsj50BAsLnMXK8PZ3NxcouYQEZu9FQ=?d=6VMu_T-
> sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx-
> S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7
> mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw-
> s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA-
> 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG
> oYn8PQTT6koyyBuC-
> 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW-
> AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw-
> p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3
> NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D&u=https%3A%2F%2F2.gy-118.workers.dev/%3A443%2Fhttps%2Fcrt.sh%2F%
> 3Fsha256%3D09AECE5B94BBB8A9EE2152FA6FB7261630124918DA015EB35715
> 08EF6D31DD30
> https://clicktime.symantec.com/a/1/s2LLW3OI_Iy8EHFssVpBCwNmh
> ZYy1Fj3Jzz9JIZSFpQ=?d=6VMu_T-
> sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx-
> S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7
> mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw-
> s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA-
> 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG
> oYn8PQTT6koyyBuC-
> 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW-
> AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw-
> p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3
> NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D&u=https%3A%2F%2F2.gy-118.workers.dev/%3A443%2Fhttps%2Fcrt.sh%2F%
> 3Fsha256%3DCC0A2AE0EF5B1A6CF242D7B4C77AC9F05B49494B42C8486B4780
> 4874734CFC1C
> https://clicktime.symantec.com/a/1/A3K4rj0hMWJHEL8Gwbg3A3_fK
> cWxBCrko0KsDdX3jPw=?d=6VMu_T-
> sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx-
> S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7
> mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw-
> s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA-
> 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG
> oYn8PQTT6koyyBuC-
> 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW-
> AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw-
> p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3
> NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D&u=https%3A%2F%2F2.gy-118.workers.dev/%3A443%2Fhttps%2Fcrt.sh%2F%
> 3Fsha256%3DF177AC0064167354025CE12B3914A0E056628DD31152B5DF22E41
> 913FC9D9B45
> https://clicktime.symantec.com/a/1/8BpzYG4IsDaFzKnBM5ZFLCABF6
> 94TPWDHnQRABD_Yps=?d=6VMu_T-
> sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx-
> S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7
> mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw-
> s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA-
> 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG
> oYn8PQTT6koyyBuC-
> 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW-
> AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw-
> p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3
> NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D&u=https%3A%2F%2F2.gy-118.workers.dev/%3A443%2Fhttps%2Fcrt.sh%2F%
> 3Fsha256%3DDA7B1D433C071DA7A389EE2A4CAB854B89E441277B41E608F05F
> B7C7C6B2A761
>
> For more, see:
>
> https://clicktime.symantec.com/a/1/_sbN9qKZDejSAj1U7evxJlBm83
> RyY17fLL1MikfsplM=?d=6VMu_T-
> sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx-
> S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7
> mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw-
> s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA-
> 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG
> oYn8PQTT6koyyBuC-
> 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW-
> AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw-
> p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3
> NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D&u=https%3A%2F%2F2.gy-118.workers.dev/%3A443%2Fhttps%2Fcrt.sh%2F%
> 3FO%3Dtest
>
> I doubt there is an organization named "test" located in "test, Korea."
>
> Regards,
> Andrew
> _______________________________________________
> dev-security-policy mailing list
> [email protected]
> https://lists.mozilla.org/listinfo/dev-security-policy

Nick Lamb

unread,
Jan 21, 2017, 8:09:05 AM1/21/17
On Thursday, 19 January 2017 21:46:38 UTC, Andrew Ayer wrote:
> 2. The third certificate in the list above contains a SAN for
> DNS:*.crosscert.com - note that three of the misissued example.com
> certificates contain "Crosscert" in their Subject Organization.

Crosscert aka Korea Electronic Certification Authority, Inc. has applied to the Mozilla root programme and was identified as a "Super CA" which I understand to mean that they themselves just sign other CA certificates for third parties.

Of course these certificates were issued by Symantec as a member of Mozilla's root programme, all responsibility for ensuring their CA doesn't issue bogus certificates lies with Symantec, not with Crosscert.

Steve Medin

unread,
Jan 21, 2017, 8:35:56 AM1/21/17
to Andrew Ayer, [email protected]
The listed Symantec certificates were issued by one of our WebTrust audited
partners. We have reduced this partner's privileges to restrict further
issuance while we review this matter. We revoked all reported certificates
which were still valid that had not previously been revoked within the 24
hour CA/B Forum guideline - these certificates each had "O=test". Our
investigation is continuing.
> 2. The third certificate in the list above contains a SAN for
> DNS:*.crosscert.com - note that three of the misissued example.com
> certificates contain "Crosscert" in their Subject Organization.
>

Ryan Sleevi

unread,
Jan 23, 2017, 7:59:04 PM1/23/17
to Steve Medin, [email protected], Andrew Ayer
Steve,

While I understand that your investigation is ongoing, this does seem
extremely similar, if not identical, to Symantec's previous misissuance.

In that previous incident, Symantec took a number of steps - beginning with
reportedly immediately terminating the employees responsible and then
continuing to a comprehensive system overhaul, as detailed at
https://www.symantec.com/page.jsp?id=test-certs-update#

What is particularly concerning here is that your current explanations
suggest that either they are incomplete, or that Symantec's previous
answers were either misleading or incorrect. This is extremely concerning,
and I'm hoping you can clarify with answers to the following questions,
independent of your ongoing investigation and as soon as possible:

1) In response to the previous incident, Symantec indicated they hold a "no
compromise" bar for such breaches in the post titled "A tough day as
leaders". [1]
a) Do you believe that the steps to "reduce privileges" represent a
consistent application of that standard?
b) If not, what additional steps are you taking, consistent with your "no
compromise" standard?

2) In response to the previous incident, Symantec indicated that the use of
any privileged test tool would require senior leader justification from
both QA and Production Operations teams and approvals from the heads of
Engineering and Policy Compliance. [2]
a) Did Symantec mean that this was limited to validations performed by
Symantec, and not that of Registration Authorities fulfilling the duties
pursuant to Section 1.3.2 of the Baseline Requirements?
b) At the time Symantec made this statement, did Symantec have any
Registration Authorities fulfilling the duties pursuant to Section 1.3.2 of
the Baseline Requirements?
c) If such a statement was meant to be limited to Symantec, and not that
of Registration Authorities, why did Symantec not feel it was appropriate
to highlight that it did not extend to activities performed by Registration
Authorities?
d) If such a statement was not meant to be limited to Symantec, was such
a justification provided, and approvals granted, for the tool that allowed
such Registration Authorities to issue these certificates?

3) In response to the previous incident, Symantec indicated a comprehensive
review of issuance privileges was conducted to ensure only authorized
personnel have the ability to issue certificates, and that a quarterly
access review would be conducted to ensure this. [2]
a) Did such comprehensive review include that of Registration Authorities?
b) If not, why did Symantec not disclose that Registration Authorities
were excluded?
c) Is Symantec currently performing access reviews of Registration
Authorities?
d) If so, when does Symantec expect this to be completed?

4) In response to the previous incident, Symantec indicated it updated its
internal policies and procedures for test certificates as used for
commercial certificates. Further, it indicated that QA engineers and
authentication personnel were trained on updated practices for test
certificates. [2]
a) Did Symantec include Registration Authorities in the scope of that
training?
b) If not, why did Symantec not disclose that Registration Authorities
were excluded?
c) If so, why did Symantec's corrective actions for the previous
misissuance fail to prevent this continued misissuance?

5) You have indicated that you have at least one WebTrust audited partner
capable of causing issuance using Symantec-operated CAs.
a) Please provide a link to the audit results for each of these WebTrust
audited partners.
b) Have you suspended the capabilities of these partners until Symantec
completes its investigation?
c) If not, why not, and when do you expect to do so?

6) Does Symantec allow is Registration Authorities to deviate from the
policies and standards set forth by its CP, CPS, and internal policies and
controls?
a) If not, why did Symantec fail to detect that its Registration
Authorities were deviating from its policies for this long?
b) If so, where does Symantec disclose this deviation within its CP
and/or CPS?

7) When do you expect to provide the next update as to the ongoing
investigation? If it is not within the next three days, why?


Thank you for your time in answering each and every one of these questions
and providing further details, so as to help inform the broader community
as to the steps Symantec has taken and is taking to prevent continued
misissuance contrary to the Baseline Requirements and the Mozilla CA
Certificate Policy.

[1] http://archive.is/Ro70U
[2] https://www.symantec.com/page.jsp?id=test-certs-update

Hanno Böck

unread,
Jan 24, 2017, 3:38:42 AM1/24/17
Hello,

I have a few observations to share about this incident, not sure how
relevant they are.

There are 4 "example.com" certificates related to this incident.

There are 114 "O=test" certificates that I assume are related to this
incident. This includes all certificates with a "Not Before" date of
2016-10 and later. crt.sh finds various older certificates with O=test
from various CAs, but I guess they are unrelated.

Issuers
=======

The affected certificates were issued by three different intermediates
owned by Symantec:
Symantec Class 3 Secure Server CA - G4
thawte SSL CA -
GeoTrust SSL CA - G3

Now Symantec told us these certificates were issued by one of their
WebTrust partners. This got me curious if it's usual that Symantec
gives their partners access to their systems in a way that they can use
various different intermediates related to different brand names.

This document here
https://cert.webtrust.org/SealFile?seal=2168&file=pdf
indicates that Korea Electronic Certification Authority Inc.
("CrossCert"), which is probably the partner Symantec is talking about,
is allowed to issue certificates with these intermediates
VeriSign Class 3 Secure Server CA - G3
VeriSign Class 3 International Server CA - G3
Symantec Class 3 Secure Server CA - G4
Which - as can be obviously seen - don't match.

(nitpick: It seems the PDF doc has a bogus document title which looks
like some changelog entry)


Revocations
===========

The 4 example certs were already revoked when Andrew Ayer made this
incident public.
From the 114 "O=test" certificates 62 were revoked at some point in
2016, so before the incident became public. 52 were revoked at some
point in 2017. 37 of those were revoked on 2017-01-20, so directly
afterthe incident got public.
(I've counted this because in a statement sent to the media Symantec
said that when they learned about this incident "most" certificates
were already revoked. I feel I have a different definition of the word
"most".)


Other O=test certificates
=========================

A quick run through other "O=test" certs:
* "Cybertrust Japan Co.. Ltd." seems to have issued a large number of
them, but a few checks indicate they are issued to domains they own.
Not sure if that's still considered a problem, as "O=test" is
obviously a bogus org, but at least they seem to not issue certs for
other people's domains.
* There's one cert issued by "SHECA" which is itself an intermediate
signed by "UniTrust". It's issued for a public IP. UniTrust seems to
be accepted by Apple+Microsoft, but not by Mozilla+Chrome.
https://crt.sh/?id=32335050




--
Hanno Böck
https://hboeck.de/

mail/jabber: [email protected]
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

Andrew Ayer

unread,
Jan 24, 2017, 2:03:50 PM1/24/17
to Hanno Böck, [email protected]
Hi Hanno,

On Tue, 24 Jan 2017 10:38:01 +0100
Hanno B__ck <[email protected]> wrote:

> Hello,
>
> I have a few observations to share about this incident, not sure how
> relevant they are.

Thanks for sharing these. I found them interesting.

> There are 4 "example.com" certificates related to this incident.
>
> There are 114 "O=test" certificates that I assume are related to this
> incident. This includes all certificates with a "Not Before" date of
> 2016-10 and later. crt.sh finds various older certificates with O=test
> from various CAs, but I guess they are unrelated.

I count 101 distinct O=test certificates with a notBefore date of
2016-10 or later (of these, 2 also have DNS name for *test*.com; also,
there are 3 certs for *test*.com without O=Test). Might you be
double-counting certs and their corresponding pre-certs?

Regards,
Andrew

Ryan Sleevi

unread,
Jan 26, 2017, 11:52:32 AM1/26/17
to Ryan Sleevi, [email protected], Steve Medin, Andrew Ayer
Steve,

Have you had a chance to review these questions? Considering that these are
all about existing practices, and as a CA should be readily available and
easy to answer, I'm hoping you can reply by end of day.

Please consider this a formal request from Google as part of investigating
this incident.

Steve Medin

unread,
Jan 26, 2017, 11:27:52 PM1/26/17
to Andrew Ayer, [email protected]
Here is an attached PDF update regarding this certificate problem report.

Kind regards,
Steven Medin
PKI Policy Manager, Symantec Corporation

Kathleen Wilson

unread,
Jan 26, 2017, 11:36:35 PM1/26/17
On Thursday, January 26, 2017 at 9:27:52 PM UTC-8, Steve Medin wrote:
> Here is an attached PDF update regarding this certificate problem report.
>
> Kind regards,
> Steven Medin
> PKI Policy Manager, Symantec Corporation
>


The PDF file provided by Steven has been attached to this bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1334377

Direct link to pdf file:
https://bug1334377.bmoattachments.org/attachment.cgi?id=8831038

Cheers,
Kathleen

Ryan Sleevi

unread,
Jan 26, 2017, 11:36:57 PM1/26/17
to Steve Medin, [email protected], Andrew Ayer
The PDF that was stripped is available at
https://bug1334377.bmoattachments.org/attachment.cgi?id=8831038

On Thu, Jan 26, 2017 at 5:30 PM, Steve Medin <[email protected]>
wrote:

> Here is an attached PDF update regarding this certificate problem report.
>
> Kind regards,
> Steven Medin
> PKI Policy Manager, Symantec Corporation
>
> > -----Original Message-----
> > From: dev-security-policy [mailto:dev-security-policy-
> > bounces+steve_medin=[email protected]] On Behalf Of Steve
> > Medin
> > Sent: Saturday, January 21, 2017 9:35 AM
> > To: Andrew Ayer <[email protected]>; mozilla-dev-security-
> > [email protected]
> > Subject: RE: Misissued/Suspicious Symantec Certificates
> >
> > The listed Symantec certificates were issued by one of our WebTrust
> audited
> > partners. We have reduced this partner's privileges to restrict further
> > issuance while we review this matter. We revoked all reported
> certificates
> > which were still valid that had not previously been revoked within the 24
> > hour CA/B Forum guideline - these certificates each had "O=test". Our
> > investigation is continuing.
> >
>

Jakob Bohm

unread,
Jan 27, 2017, 1:18:33 AM1/27/17
(continuing top post for consistency)

For the certificates that are noted as "revoked on the day of
issuance", it would (both in this and the general case), be more
informative to state the revocation delay in a smaller unit of measure,
such as hours (or even smaller if less than an hour).

It is of cause noted, that most of the relevant timestamps are (or were
at the time) recorded with a precision of 1s in published PKI objects,
although parties outside the CA not have an easy way to obtain reliable
copies of the revocation responses that the CA would have issued, and
thus the timestamps of revocation becoming known to revocation-checking
relying parties (which is different from the time that the revocation
may have been also communicated to independent logging systems).
Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

Jakob Bohm

unread,
Jan 27, 2017, 1:36:27 AM1/27/17
(continuing top posting for consistency)

In order to clarify the potential risk/damage to the Web PKI, it would
be useful to clarify the following in a later report (since this would
require additional investigation):

Were the web identities (DNS names etc.) in the category C, D, E and F
certificates properly vetted as per the CP/CPS etc., the certificates
simply replaced the vetted organization name with "test" in the X.500
distinguished name? Or were some of those issued for insufficiently
(or actually incorrect) web identities?

To the safety of the web PKI this makes a big difference, since if the
web identities were properly and correctly vetted, then the only real
danger was relying parties seeing the word "test" in some user
interfaces instead of the real organization name, thus conferring less
trust (failing closed). If on the other hand the web identities were
insufficiently vetted, then the certificates conferred a security claim
to relying parties not being shown or otherwise inspecting the O= field
(failing open).

Gervase Markham

unread,
Jan 27, 2017, 6:11:06 AM1/27/17
Hi Steve,

On 27/01/17 01:30, Steve Medin wrote:
> Here is an attached PDF update regarding this certificate problem report.

Thanks for the update. Here are some questions:

* It's not clear what the problem is with the issuance in category F. I
don't see any mention of "dev119money.com" in Andrew's initial report.
Can you explain (and provide a crt.sh link)?

* Root Cause, bullet 2 refers to "certificates issued between July 2016
and January 2017"; is it correct that this corresponds to categories A
(one of four certificates), B, D, E and F?

* What processes, other than requiring and inspecting a WebTrust report,
does Symantec have in place to ensure that its RAs behave in accordance
with the CP and CPS of the Symantec-owned roots under which they are
issuing? (Perhaps this will be covered in the report you will issue
after the "additional follow-up" steps are completed?)

* Do such processes include regular, occasional or any review of the
audit logs which show the overriding of compliance failure flags?

Gerv

Nick Lamb

unread,
Jan 27, 2017, 11:43:10 AM1/27/17
On Friday, 27 January 2017 12:11:06 UTC, Gervase Markham wrote:
> * It's not clear what the problem is with the issuance in category F. I
> don't see any mention of "dev119money.com" in Andrew's initial report.
> Can you explain (and provide a crt.sh link)?

https://crt.sh/?id=48539119 appears to be the certificate in question.

The certificate is clearly bogus in that it identifies the Subject O=test, OU=test, etc. yet real DNS names are included in the SANs. It is not clear to me either why this is different from Category D and so I too would appreciate more information from Steven about that.

Steve Medin

unread,
Jan 28, 2017, 8:28:53 PM1/28/17
Symantec's auditors, KPMG, completed a scan of CrossCert certificates to
detect potential mis-issuance. On Thursday, January 26, 2017 at 4:08pm PST,
KPMG provided a report that listed 12 problem certificates that were not in
Andrew Ayer's report. We began an investigation into that certificate
problem report at 6:30pm PST Thursday. Six of the certificates contained
numbers in the locality, two were street addresses and four were Bangladeshi
postal codes appended to the city name. Six contained the word "test" in the
organization, but were false positives for legitimate organization names.

We completed our investigation of these 12 certificates by requesting
archived documentation. CrossCert was unable to produce documentation to
prove their validation as required under BR 5.4.1. We revoked all 12
certificates within 24 hours of becoming aware of CrossCert's BR 5.4.1
non-compliance. Our investigation continues.

Links:
https://crt.sh/?id=16869385
https://crt.sh/?id=11199825
https://crt.sh/?id=11633501
https://crt.sh/?id=11281299
https://crt.sh/?id=11283579
https://crt.sh/?id=12504637
https://crt.sh/?id=42016028
https://crt.sh/?id=13161832
https://crt.sh/?id=13161834
https://crt.sh/?id=13161835
https://crt.sh/?id=25211067
https://crt.sh/?id=47456180

Nick Lamb

unread,
Jan 29, 2017, 6:39:10 AM1/29/17
On Sunday, 29 January 2017 02:28:53 UTC, Steve Medin wrote:
> We completed our investigation of these 12 certificates by requesting
> archived documentation. CrossCert was unable to produce documentation to
> prove their validation as required under BR 5.4.1. We revoked all 12
> certificates within 24 hours of becoming aware of CrossCert's BR 5.4.1
> non-compliance. Our investigation continues.

Several of these certificates appear, on any surface inspection, to be legitimate certificates issued to real subscribers and yet presumably CrossCert was not able to document validation. So several thoughts arise, I appreciate that you might want to do more investigation before replying Steve, not least because there are quite a few questions here - and as always I welcome feedback from other participants meanwhile.

1. The six "false positive" certificates appear unremarkable except for the coincidence of including the word "test". If CrossCert can't produce documentation to show these were validated properly, it seems likely that many or even all certificates which Symantec had believed were validated by CrossCert in fact lack such documentation. Is that not so?

2. It had been my assumption, based on the CPS and other documents, that CrossCert was restricted in their use of Symantec's issuance function to C=KR, this is cold comfort for practical purposes in the Web PKI, but it would at least help us to scope any damage. The existence of certificates with C=BD in this list shows my assumption was wrong. How (if at all) can an outsider determine if in fact CrossCert caused issuance of a Symantec certificate ? Prior to Andrew's report what _mechanical_ constraints on CrossCert's issuance were in place, in particular any beyond those which were applied to Symantec's own issuances? For example, would it have been possible for them to cause issuance of a 5-year cert? A SHA-1 certificate? To choose specific serial numbers?

3. Since we have every reason to imagine that some (or even all) of the affected certificates were issued in good faith to legitimate subscribers, it would have been nice for Symantec to alert the subscribers when their certificates were revoked. Did Symantec do this? If not does Symantec have the capability to contact these subscribers itself (e.g. email addresses, phone numbers)? If not, does Symantec contractually require of RA partners that they provide a capability for Symantec to contact their subscribers, or relay a message chosen by Symantec on their behalf ?

4. Although BR 5.4.1 says that these records are to be kept by the CA and each Delegated Third Party the obligation is on the CA (here, Symantec) to make the records available to their auditors. Is it in fact the case that this investigation is the first time Symantec has asked Crosscert for such records ? Wasn't Symantec concerned that KPMG (in a routine audit) might ask to see these records but they didn't have them ? Might not other RA partners be affected similarly ?

5. As Symantec will know from its own experience, audits have not proved to be sufficient for detecting systematic non-compliance by CAs. What measures _beyond_ the Webtrust audit did Symantec have in place to detect non-compliance by an RA partner ?

Gervase Markham

unread,
Jan 30, 2017, 5:10:00 AM1/30/17
Hi Nick,

On 29/01/17 12:39, Nick Lamb wrote:
> 2. It had been my assumption, based on the CPS and other documents,
> that CrossCert was restricted in their use of Symantec's issuance
> function to C=KR

Could you point is at the parts of the CPS or other documents which led
you to that belief?

Gerv

Nick Lamb

unread,
Jan 30, 2017, 6:51:52 AM1/30/17
On Monday, 30 January 2017 11:10:00 UTC, Gervase Markham wrote:
> Could you point is at the parts of the CPS or other documents which led
> you to that belief?

I examined a great many documents since Andrew's initial report. I think the document which originally caused me to form this incorrect assumption was

CrossCert Certification Practice Statement
Version 3.8.8
Effective Date: JUNE 29, 2012

this file was available from
http://www.crosscert.com/symantec/certificationeng.pdf
and is linked from the 2016 WebTrust audit report for CrossCert

This document (which I will call CPS 3.8.8) contains a section 3.1.1 Type of Names which asserts

"End-user Subscriber Certificates contain an X.501 distinguished name in the Subject name field and consist of the components specified in Table 5 below."

Table 5 in CPS 3.8.8 says that the attribute Country (C) shall have the value “KR” or not used.

It seemed to me that this document established that as a Relying Party I should conclude an end entity certificate with C=BD is not from CrossCert. Perhaps there's _another_ CPS somewhere else that says otherwise ?

Gervase Markham

unread,
Jan 30, 2017, 8:35:43 AM1/30/17
to Nick Lamb
On 30/01/17 12:51, Nick Lamb wrote:
> CrossCert Certification Practice Statement Version 3.8.8 Effective
> Date: JUNE 29, 2012

That date is interesting. The BRs require CPSes to be revised yearly.

> "End-user Subscriber Certificates contain an X.501 distinguished name
> in the Subject name field and consist of the components specified in
> Table 5 below."
>
> Table 5 in CPS 3.8.8 says that the attribute Country (C) shall have
> the value “KR” or not used.

That seems reasonably conclusive on the face of it. I'm sure Steve will
have noted this point and I hope he will address it in any further
update on the CrossCert situation.

Gerv

Ryan Sleevi

unread,
Jan 30, 2017, 11:36:54 AM1/30/17
to Ryan Sleevi, [email protected], Steve Medin, Andrew Ayer
Steve,

As captured in our private mail exchange last week, Symantec's report fails
to meaningfully address each or any of the questions I raised. Google
considers it of utmost urgency that Symantec share the answers to these
questions, posed a week ago, and based on Symantec's multiple public
statements regarding the previous misissuance. Please confirm your receipt
of these questions and your intent to provide an answer to the community by
end of day, so that we can consider Symantec's answers when considering
appropriate next steps to protect our users. In the absence of timely
information from a CA following a misissuance, it's both necessary and
reasonable to consider the worst as plausible.

For your reference,
https://groups.google.com/d/msg/mozilla.dev.security.policy/fyJ3EK2YOP8/chC7tXDgCQAJ

Andrew Ayer

unread,
Jan 30, 2017, 11:52:34 AM1/30/17
to Nick Lamb, [email protected]
On Fri, 27 Jan 2017 09:43:00 -0800 (PST)
Nick Lamb <[email protected]> wrote:

> On Friday, 27 January 2017 12:11:06 UTC, Gervase Markham wrote:
> > * It's not clear what the problem is with the issuance in category
> > F. I don't see any mention of "dev119money.com" in Andrew's initial
> > report. Can you explain (and provide a crt.sh link)?
>
> https://crt.sh/?id=48539119 appears to be the certificate in question.
>
> The certificate is clearly bogus in that it identifies the Subject
> O=test, OU=test, etc. yet real DNS names are included in the SANs. It
> is not clear to me either why this is different from Category D and
> so I too would appreciate more information from Steven about that.

I would appreciate confirmation from Steve, but note that dev119money.com
is not currently a registered domain name.

Regards,
Andrew

Nick Lamb

unread,
Jan 30, 2017, 4:52:13 PM1/30/17
On Monday, 30 January 2017 17:52:34 UTC, Andrew Ayer wrote:
> I would appreciate confirmation from Steve, but note that dev119money.com
> is not currently a registered domain name.

Ah yes, none of the names on that certificate currently exist in the Internet DNS: devhkhouse.co.kr and devhkautoloan.co.kr don't match anything either. Thank you for spotting this Andrew.

However the names hkhouse.co.kr and hkautoloan.co.kr do exist, they are both currently registered to HK savings bank in the wealthy (and now internationally famous) Gangnam district of Seoul. 911money.com also exists, but appears to be owned by a sketchy US outfit, possibly just harvesting vaguely finance-related domains for re-sale. However, m911money.com is owned by HK savings bank too. HK Savings Bank has certificates from Symantec today, I do not know if CrossCert acted as RA for these certificates.

So, I suppose that this certificate is essentially a typographical error on an enormous scale, like the (fictitious but popular) story that the UK's Guardian newspaper once managed to spell its own name in the masthead "Grauniad".

On this basis I think it's reasonably likely that CrossCert is merely spectacularly incompetent, it (at least sometimes and perhaps always) did not validate DNS names before causing Symantec to issue a certificate and so as a result instead of typo-ridden applications being rejected because they wouldn't validate, bogus certificates were issued.

Detecting such incompetence was Symantec's responsibility and we await any real information about why they failed to do that.

Steve Medin

unread,
Jan 30, 2017, 9:52:02 PM1/30/17
Our response to questions up to January 27, 2017 has been posted as an
attachment to bug https://bugzilla.mozilla.org/show_bug.cgi?id=1334377.



The direct attachment link is:
https://bugzilla.mozilla.org/attachment.cgi?id=8831933.



The bug report contains additional documentation supporting our response.



Kind regards,

Steven Medin
PKI Policy Manager, Symantec Corporation





Jakob Bohm

unread,
Jan 31, 2017, 12:41:42 PM1/31/17
Glad you also answered the key question I posted some time ago (the
last one in the PDF).

According to your answer it appears that the majority of problematic
certificates were, to the WebPKI relying parties, correct and valid
certificates that simply had the legal names of the certificate holders
safely replaced by the non-confusing (in several languages) word "test".

Such certificates, while they may technically violate one or more
CP/CPS/BR rules, are not really dangerous, as they provide the
information of a DV certificate with the stronger vetting of an OV
certificate.

However the incident seems to have revealed deeper and more serious
issues such as bad vetting and failure to retain vetting records.

On 31/01/2017 04:51, Steve Medin wrote:
> Our response to questions up to January 27, 2017 has been posted as an
> attachment to bug https://bugzilla.mozilla.org/show_bug.cgi?id=1334377.
>
>
>
> The direct attachment link is:
> https://bugzilla.mozilla.org/attachment.cgi?id=8831933.
>
>
>
> The bug report contains additional documentation supporting our response.
>
>
>
> Kind regards,
>
> Steven Medin
> PKI Policy Manager, Symantec Corporation
>


Gervase Markham

unread,
Feb 4, 2017, 5:11:42 AM2/4/17
On 31/01/17 04:51, Steve Medin wrote:
> Our response to questions up to January 27, 2017 has been posted as an
> attachment to bug https://bugzilla.mozilla.org/show_bug.cgi?id=1334377.

Quoting that document:

"Q: 4) In response to the previous incident, Symantec indicated it
updated its internal policies and procedures for test certificates as
used for commercial certificates. Further, it indicated that QA
engineers and authentication personnel were trained on updated practices
for test certificates. a) Did Symantec include Registration Authorities
in the scope of that training?

A: We did not train partners on an issue that pertained to a tool they
could not access."

-- That seems to miss the point of the question somewhat. The problem in
the previous incident was poor practices surrounding the issuance of
test certificates, not simply the tool that was used to issue them.

1) Did Symantec do any additional training for RAs regarding the
issuance of test certificates after the last incident? If not, why not?
Did Symantec believe that it was very unlikely for RA personnel to make
the same mistakes or have the same misunderstandings of what was
appropriate as Symantec's personnel?

You also write: "Category C concluded prior to that last audit’s review
period."

2) Is your understanding that, when WebTrust audits are sampling, they
sample only certificates issued during the review period? Or should they
be sampling certificates issued during the entire period covered by the
audit? If the latter, did their sampling (3%, isn't it?) hit any
Category C certificates? How many certificates were in the sample pool?

3) To be totally clear: would it be correct to say that up until this
point, examining WebTrust audits was the only mechanism that Symantec
used to _check_ the conformance of their RAs to Symantec's CP/CPS and
other requirements? (I see you give them software, and docs, and
training, but was this the only _checking_ mechanism?)

New question:

4) Is there any reliable programmatic way of determining, looking only
at the contents of the certificate or certificate chain, that a
certificate was issued by CrossCert personnel using their processes, as
opposed to by Symantec personnel or by another RA?

We look forward to hearing the answers to these questions and further
updates on the situation with CrossCert.

Thanks,

Gerv

Ryan Sleevi

unread,
Feb 4, 2017, 7:33:37 AM2/4/17
to Gervase Markham, [email protected]
On Sat, Feb 4, 2017 at 3:10 AM, Gervase Markham <[email protected]> wrote:
>
> 4) Is there any reliable programmatic way of determining, looking only
> at the contents of the certificate or certificate chain, that a
> certificate was issued by CrossCert personnel using their processes, as
> opposed to by Symantec personnel or by another RA?
>
> We look forward to hearing the answers to these questions and further
> updates on the situation with CrossCert.


Gerv, as the information Steve shared about their other RAs show, their
issues with RAs are not limited to CrossCert, unfortunately. Check out the
rest of the details included.

Steve: Given the many issues very clear from CrossCert's CP/CPS, and the
many audit issues disclosed in CertSuperior's report, I'd like to request
that you also disclose the CP/CPS for these CAs. For example, CertiSign's
CP/CPS is not immediately obvious to me as to what Symantec was relying on
EY to audit.

Gervase Markham

unread,
Feb 4, 2017, 8:38:28 AM2/4/17
On 04/02/17 14:32, Ryan Sleevi wrote:
> Gerv, as the information Steve shared about their other RAs show, their
> issues with RAs are not limited to CrossCert, unfortunately. Check out the
> rest of the details included.

Ouch. Thank you for drawing these to my attention; I had neglected to
read them.

Gerv

Martin Heaps

unread,
Feb 4, 2017, 6:43:12 PM2/4/17
As a side note to the main topic, I find it curious and a little disconcerting that the referred link to the E&Y assessement of CrossCert, (outlined in Point 2 of "Additional Follow-ups") found on the document linked by Steve (here :
https://bug1334377.bmoattachments.org/attachment.cgi?id=8831038 )

uses this web address for accessing the E&Y assessment: https://cert.webtrust.org/SealFile?seal=2168&file=pdf and that access this address gives a

> Secured Connection Failure: SSL_ERROR_UNSAFE_NEGOTIATION

status. This (webtrust) organisation which seems to run the role of certifying PKI distributing authorities (such as CrossCert, Symantec, etc) can't use a half decent security certificate for their own sites!

Disappointing.

p.s> Aferwards, running the address through SSLLabs Test it get's an F. See: https://www.ssllabs.com/ssltest/analyze.html?d=cert.webtrust.org

Very Disappointing.

Further information (you probably already know but just for competeness sake.

>From their website:
-----------------------------
What is the purpose of the WebTrust for CAs program

The WebTrust for CAs program helps to ensure that proper procedures are followed in activities involving e-commerce transactions, public key infrastructure (PKI), and cryptography. In online trust and e-commerce transactions, confidentiality, authentication, integrity, and nonrepudiation are vitally important. These requirements are satisfied using PKI and SSL Certificates. A certification authority verifies the identity of an organization/entity and issues a certificate that the organization can use to prove their identity.

CAs are taking an increasingly important role in the security of e-commerce. Although there are many national, international, and proprietary standards and guidelines for the use of cryptography, the management of digital certificates, and the policies and practices of CAs, these standards have not been applied uniformly. The AICPA/CICA WebTrust Program for Certification Authorities ensures that specific policies are implemented and enforced.
-----------------------------

And this organisation can't supply valid TLS certificates for their own websites? Jeeeeeeee

Peter Gutmann

unread,
Feb 4, 2017, 11:20:58 PM2/4/17
to Martin Heaps, [email protected]
Martin Heaps <[email protected]> writes:

>web address for accessing the E&Y assessment:
>https://cert.webtrust.org/SealFile?seal=2168&file=pdf and that access this
>address gives a
>
>> Secured Connection Failure: SSL_ERROR_UNSAFE_NEGOTIATION
>
>status. This (webtrust) organisation which seems to run the role of
>certifying PKI distributing authorities (such as CrossCert, Symantec, etc)
>can't use a half decent security certificate for their own sites!

That's not a cert issue, it's Firefox objecting to the version of SSL/TLS the
server is advertising. Hey, it would be pretty funny if the cert auditors'
certs were broken, but it's just the browser complaining about something else.

Peter.

Gervase Markham

unread,
Feb 5, 2017, 3:48:00 AM2/5/17
to Peter Gutmann, Martin Heaps
On 05/02/17 06:20, Peter Gutmann wrote:
> That's not a cert issue, it's Firefox objecting to the version of SSL/TLS the
> server is advertising. Hey, it would be pretty funny if the cert auditors'
> certs were broken, but it's just the browser complaining about something else.

That machine definitely needs a webserver upgrade.

Gerv

Gervase Markham

unread,
Feb 7, 2017, 10:08:36 AM2/7/17
to Steve Medin
Hi Steve,

On 31/01/17 03:51, Steve Medin wrote:
> Our response to questions up to January 27, 2017 has been posted as an
> attachment to bug https://bugzilla.mozilla.org/show_bug.cgi?id=1334377.

It's now ten days later; are Symantec in a position to answer the next
batch of questions, and also give us an update on the general progress
of your investigation into CrossCert and any other RA difficulties you
may have discovered?

Gerv

Gervase Markham

unread,
Feb 8, 2017, 3:52:46 AM2/8/17
I contacted CPA Canada and got the following response:

"Thanks for your kindly worded note. We are aware of the deficiencies
and have handed the issue over to the IT group at CPA Canada. They are
in the process of making changes but there have been some other issues
exposed in the process, for example, getting the program to operate on a
new server. The IT group is working on this project currently but at the
moment I don’t have a time frame for when changes can be made."

Gerv

Ryan Sleevi

unread,
Feb 8, 2017, 9:08:14 PM2/8/17
to Gervase Markham, Steve Medin, [email protected]
On Sat, Feb 4, 2017 at 3:10 AM, Gervase Markham <[email protected]> wrote:

> On 31/01/17 04:51, Steve Medin wrote:
> > Our response to questions up to January 27, 2017 has been posted as an
> > attachment to bug https://bugzilla.mozilla.org/show_bug.cgi?id=1334377.
>
> Quoting that document:
>
> "Q: 4) In response to the previous incident, Symantec indicated it
> updated its internal policies and procedures for test certificates as
> used for commercial certificates. Further, it indicated that QA
> engineers and authentication personnel were trained on updated practices
> for test certificates. a) Did Symantec include Registration Authorities
> in the scope of that training?
>
> A: We did not train partners on an issue that pertained to a tool they
> could not access."
>
> -- That seems to miss the point of the question somewhat. The problem in
> the previous incident was poor practices surrounding the issuance of
> test certificates, not simply the tool that was used to issue them.
>
> 1) Did Symantec do any additional training for RAs regarding the
> issuance of test certificates after the last incident? If not, why not?
> Did Symantec believe that it was very unlikely for RA personnel to make
> the same mistakes or have the same misunderstandings of what was
> appropriate as Symantec's personnel?
>
> You also write: "Category C concluded prior to that last audit’s review
> period."


Steve,

To echo Gerv's remarks, the statement Symantec issued for the previous
misissuance [1] stated:
"Symantec has updated its internal policies and procedures to strongly
reinforce that all test certificates must follow the same fulsome
authentication procedures as commercial certificates."

Section 9.8 of the Baseline Requirements, v1.4.2 states
"For delegated tasks, the CA and any Delegated Third Party MAY allocate
liability between themselves contractually
as they determine, but the CA SHALL remain fully responsible for the
performance of all parties in accordance with
these Requirements, as if the tasks had not been delegated. "

1) Does Symantec believe that the original statement is sufficiently clear
that it was limited solely to Symantec's role in validating, and did not
extend to that of Delegated Third Parties?
2) Did Symantec management believe it was not necessary to notify and
inform its Delegated Third Parties about the need and significance to
conform to Symantec's CP and CPS, and of the necessity of ensuring that all
issued certificates - regardless of mechanism - must follow the same
fulsome authentication procedures?

Similarly, the statement Symantec issued for the previous misissuance [1]
stated:
"Symantec updated its internal policies, procedures, and trainings to
clarify the April 2014 change in the Baseline Requirements that removed
authorization to issue certificates to unregistered domains."

Your most recent response, [2], notes that:
"RAs are required to follow the same policies as set forth in Symantec’s CP
and CPS documents."

Regarding Certisign:
3) The most recent version of Certisign's CP/CPS that I'm able to publicly
confirm is http://vtn.certisign.com.br/repositorio/politicas/DPC_
da_Certisign.pdf , which is dated 2012. Is this the correct CP/CPS?
4) Can Symantec confirm that this is the CP/CPS that was audited?
5) Does Symantec believe that this CP/CPS is consistent with Symantec's
update CP and CPS documents updated in response to the previous misissuance?
6) Does Symantec believe that the audit letter, indicated in [2], which
clearly indicates that the effective criteria were based on "SSL Baseline
Requirements Audit Criteria, Version 1.1", available at [3], represents a
sufficient demonstration of conformance to Symantec's CP/CPS?
7) Does Symantec believe that the audit letter, indicated in [2], conducted
by Ernst and Young Brazil, conforms with the professional obligations with
respect to WebTrust licensing, and Symantec's obligation to ensure said
compliance as part of its Delegated Third Party conformance to the Baseline
Requirements' audit standards? Specifically, the requirement to use
"WebTrust for CA - SSL Baseline with Network Security 2.0" for all audits
whose periods begin after 1-Jul-14, which EY Brazil demonstrably did not
follow?

Regarding Certsuperior:
Symantec has indicated that the 2016 audit of Certsuperior was qualified,
as demonstrated in [4]. During Symantec's previous misissuance event,
Symantec noted that:
"We have also enhanced our compliance function by consolidating all
compliance activities into a single group reporting directly to the head of
our Website Security business unit. This change was made in January 2016;
this new compliance structure includes enhanced identification, tracking,
prioritization and resolution of compliance-related updates, which will
help ensure that CA/Browser Forum rule changes are effectively implemented."

8) Was Symantec's compliance group involved in reviewing the qualified
audit report findings?
9) Did Symantec's management or compliance group disclose this
qualification to Mozilla?
10) Did Symantec's management or compliance group make its determination of
Certsuperior's compliance to Symantec's CP/CPS using
Certsuperior's publicly available CP/CPS, which Certsuperior's auditor,
Deloitte, noted in [4] that "The policies, procedures, and agreements are
not available for consultation." and that "The CPS published is illegible"?
11) If not, what CP/CPS did Symantec use, and how did Symantec ensure it
was appropriately audited?
12) If so, how did you do so, when the auditors themselves were not able to?
13) Given Symantec's previous statements regarding "holding ourselves to a
'no compromise' bar" [5], and the numerous issues identified in [4],
including an audit finding of "We noted roles of users that are not Trusted
Roles with access to validation requests at the web application", a "lack
of network segmentation for distinguishing between equipment with access to
applications and that which are not part of the validation process", and
that Certsuperior's network scans were "not performed with sufficient
periodicity and had only ever been executed over the
https://www.certsuperior.com website" and "were executed by personnel
without technical skill, ethics code, or independence", why does Symantec
still have an RA relationship with Certsuperior?
14) Does Certsuperior pay Symantec to engage as a Registration Authority?
15) If so, what does Symantec believe should be the reasonable
interpretation relative to the continued trustworthiness of Symantec and
Symantec's management of the fact that Symantec terminated employees for
cause for being involved in misissuance, but has continued to engage in a
business relationship with entities who have performed demonstrably worse,
but which pay Symantec for that privilege?

Regarding CrossCert:
The audit report indicated in [6] directly states that the audited CP/CPS
version of CrossCert is version 3.8.8, available at [7]. This version
indicates it was "Published Date: June 29, 2012". This audit was performed
by Ernst and Young, Korea.

16) Similar to Q3, is this the correct CPS?
17) Similar to Q5, does Symantec believe this CP/CPS, dated in 2012, is
consistent with Symantec's CP/CPS, which was updated in response to past
misissuances?

Regarding Registration Authorities
18) Can you confirm that Symantec's response in [2] is correct and
comprehensive for all brands directly and indirectly operated by Symantec,
including, but not limited to, Verisign, Symantec, Thawte, GeoTrust, and
RapidSSL offerings?
19) Can you confirm that Certsuperior, Certisign, CrossCert, and Certisur
are the only Delegated Third Parties utilized by Symantec, across all
Symantec operated CAs that are trusted by Mozilla products?


We appreciate your attention to these questions and will thoughtfully
consider a response to these questions if received no later than 2017-02-13
00:00:00 UTC.

Thanks,
Ryan


[1] https://www.symantec.com/page.jsp?id=test-certs-update#
[2] https://bug1334377.bmoattachments.org/attachment.cgi?id=8831933
[3] http://www.webtrust.org/homepage-documents/item76002.pdf
[4] https://bug1334377.bmoattachments.org/attachment.cgi?id=8831930
[5] http://archive.is/Ro70U
[6] https://cert.webtrust.org/SealFile?seal=2167&file=pdf
[7] http://www.crosscert.com/symantec/certificationeng.pdf

Gervase Markham

unread,
Feb 9, 2017, 3:57:07 AM2/9/17
to Steve Medin, [email protected]
On 09/02/17 03:07, Ryan Sleevi wrote:
> We appreciate your attention to these questions and will thoughtfully
> consider a response to these questions if received no later than 2017-02-13
> 00:00:00 UTC.

Mozilla also requests answers to these excellent questions under the
same terms and, for the avoidance of doubt, interprets the above as the
point in time between Sun 2017-02-12 and Mon 2017-02-13, rather than the
point in time between Mon 2017-02-13 and Tue 2017-02-14.

Gerv

Nick Lamb

unread,
Feb 9, 2017, 7:23:03 PM2/9/17
On Thursday, 9 February 2017 03:08:14 UTC, Ryan Sleevi wrote:
> 19) Can you confirm that Certsuperior, Certisign, CrossCert, and Certisur
> are the only Delegated Third Parties utilized by Symantec, across all
> Symantec operated CAs that are trusted by Mozilla products?

Maybe Ryan has better information than me, but I had assumed that in practice all the companies identified on their site as Symantec "Affiliates" offering SSL are or have been Delegated Third Parties under the BRs.

https://forms.ws.symantec.com/verisign-worldwide/index.html

I confess that I reached this supposition by Googling "Symantec Crosscert" and thinking about what I found, rather than through deep knowledge of Symantec's business or direct personal information.

Symantec provides the following links for "affiliates" offering SSL

https://www.acs.altech.co.za/symantec-pki
https://www.egypttrust.com/
http://www.comsign.co.il/
http://www.verisign.co.jp/
http://www.crosscert.com/
http://www.itrus.com.cn/
http://www.msctrustgate.com/
http://www.mysecuresign.com/
http://www.niftetrust.com/
http://www.safescrypt.com/
http://www.adacom.com/
http://www.skyrr.is/
http://www.telefonica.es/
http://www.trustitalia.it/
http://www.certsuperior.com/
http://www.certisign.com.br/
http://www.certisur.com/
http://www.e-sign.cl/

Some of those were on Ryan's list above already, and some are defunct, but despite language barriers I think I was able to determine that some of the others are selling Symantec certificates. I suppose it's possible that they're merely acting as resellers and all validation etc. is done by Symantec, but I wanted to flag it up.

Steve Medin

unread,
Feb 12, 2017, 9:28:26 AM2/12/17
A response is now available in Bugzilla 1334377 and directly at:
https://bugzilla.mozilla.org/attachment.cgi?id=8836487


> -----Original Message-----
> From: Gervase Markham [mailto:[email protected]]
> Sent: Thursday, February 09, 2017 4:56 AM
> To: Steve Medin <[email protected]>; mozilla-dev-security-
> [email protected]
> Cc: [email protected]
> Subject: Re: Misissued/Suspicious Symantec Certificates
>
> On 09/02/17 03:07, Ryan Sleevi wrote:
> > We appreciate your attention to these questions and will thoughtfully
> > consider a response to these questions if received no later than
> > 2017-02-13
> > 00:00:00 UTC.
>

Nick Lamb

unread,
Feb 12, 2017, 12:02:52 PM2/12/17
On Sunday, 12 February 2017 15:28:26 UTC, Steve Medin wrote:
> A response is now available in Bugzilla 1334377 and directly at:
> https://bugzilla.mozilla.org/attachment.cgi?id=8836487

Thanks for these responses Steve,

I believe that Symantec's decision to terminate the RA Partner programme was a good one, not only in light of what's been found during this specific investigation, but also because it makes the CA function within Symantec simpler. It definitely feels as though some of the issues (big and small) with Symantec's CA function in the past few years grew out of complexity. Simpler systems are easier to correctly reason about and thus to manage properly.

Simpler systems are also easier for the Root Programmes to oversee and for the Relying Parties to put their trust in. This group has fought against the presumption that "foreign" CAs are necessarily less trustworthy, but the fact is that a person who was happy with a Symantec certificate on the basis that it was issued by a famous US Corporation might have been very surprised to learn the decision to issue was actually taken by a company they've never heard of in Korea, or Brazil.

Given Symantec's experiences here, I would recommend that Mozilla's routine letter to CAs might ask them if they have any similar programme and if so what measures they have in place to ensure their RAs or similar Third Parties are really living up to the standards Mozilla requires. Depending on the responses this might need further action from Mozilla. It would also make sense to ask about this during new CA enrollment. There's maybe a small piece of work here to figure out what sort of characteristics best distinguish something like Symantec's relationship with Crosscert from unremarkable business practices like corporate accounts to issue many certificates without them each being validated separately.

Eric Mill

unread,
Feb 12, 2017, 1:12:57 PM2/12/17
to Nick Lamb, [email protected]
Though Nick's email implies the announcement, for the benefit of the list,
here's Symantec's introduction at the top of their response:

Based on our investigation of CrossCert, we have concerns due to (1)
demonstrated non-compliance with processes and controls, (2) assertions of
third party auditors that need far greater oversight than we previously
expected, and (3) the fact that these issues have enabled cases of
certificate mis-issuance. As a result, we have made the decision to
terminate our partner RA program.

We will continue to work with select partners that have local market
contacts and expertise to facilitate an interface with customers and
collection of relevant documentation, however Symantec personnel will
validate 100% of all asserted identity data and control certificate
issuance going forward. We have communicated this change to each of our RA
partners, we are finalizing a transition plan, and intend to implement that
transition quickly.

In addition, to alleviate any concern by customers or relying parties on
the integrity of the certificates issued by these RA partners, Symantec
will review the validation work of 100% of issued certificates and
revalidate any where we identify any deficiency. Certificates issued with
deficient validation will be replaced and revoked. Our work will be
included in scope of our next WebTrust audits.


On Sun, Feb 12, 2017 at 1:02 PM, Nick Lamb via dev-security-policy <
[email protected]> wrote:

> On Sunday, 12 February 2017 15:28:26 UTC, Steve Medin wrote:
> > A response is now available in Bugzilla 1334377 and directly at:
> > https://bugzilla.mozilla.org/attachment.cgi?id=8836487
>
> _______________________________________________
> dev-security-policy mailing list
> [email protected]
> https://lists.mozilla.org/listinfo/dev-security-policy
>



--
konklone.com | @konklone <https://twitter.com/konklone>

Eric Mill

unread,
Feb 12, 2017, 1:27:16 PM2/12/17
to Nick Lamb, [email protected]
Also relevant are Symantec's statements about two E&Y regional auditors.

One section describes contradictions from E&Y KR (Korea) in describing why
some CrossCert issuing CAs were not in scope:

• The list of CAs in the audit was produced by CrossCert and given to E&Y
KR as the scope to audit. It was not given to E&Y by Symantec.

• E&Y KR initially stated that CrossCert did not fully disclose the list of
CAs. E&Y KR later stated that CrossCert provided a list of all their
issuing CAs but reduced the list of issuing CAs in scope of sampling for
budgetary reasons.

• Due to these conflicting statements and further discoveries explained
below, Symantec will no longer accept audits from E&Y KR.


And a second section is about contradictions and delays in describing the
scope of an audit that E&Y BR (Brazil) performed on Certisign:

E&Y BR produced two deficient letters regarding the 2014 and 2015 Certisign
audits. Initially we received a letter that stated a January 1, 2014 to
December 31, 2014 audit period in its introduction and a January 1, 2014 to
December 31, 2015 audit period in its conclusion. The letter appeared to
cover a two year period. We asked for clarification multiple times. That
clarifying letter stated a 2015 audit period.

E&Y BR does not meet our requirements for RA audit quality, timeliness, and
responsiveness to our demands. Symantec will no longer accept audits from
E&Y BR should we have a future need for in-market audit support.
>> > A response is now available in Bugzilla 1334377 and directly at:
>> > https://bugzilla.mozilla.org/attachment.cgi?id=8836487
>>

Andrew Ayer

unread,
Feb 12, 2017, 2:17:44 PM2/12/17
to Steve Medin, [email protected], [email protected], Gervase Markham
Hi Steve,

I have a few questions:

1. What criteria is Symantec using to determine if a certificate has a
"deficiency" that warrants re-validation?

2. How will Symantec assess whether the domain(s) in a certificate were
correctly validated?

3. Is any of the information gathered by processing agents used for
domain validation?

Regards,
Andrew


On Sun, 12 Feb 2017 15:27:42 +0000
Steve Medin via dev-security-policy
<[email protected]> wrote:

> A response is now available in Bugzilla 1334377 and directly at:
> https://bugzilla.mozilla.org/attachment.cgi?id=8836487
>
>
> > -----Original Message-----
> > From: Gervase Markham [mailto:[email protected]]
> > Sent: Thursday, February 09, 2017 4:56 AM
> > To: Steve Medin <[email protected]>; mozilla-dev-security-
> > [email protected]
> > Cc: [email protected]
> > Subject: Re: Misissued/Suspicious Symantec Certificates
> >
> > On 09/02/17 03:07, Ryan Sleevi wrote:
> > > We appreciate your attention to these questions and will
> > > thoughtfully consider a response to these questions if received
> > > no later than 2017-02-13
> > > 00:00:00 UTC.
> >
> > Mozilla also requests answers to these excellent questions under
> > the same terms and, for the avoidance of doubt, interprets the
> > above as the point in time between Sun 2017-02-12 and Mon
> > 2017-02-13, rather than the point in time between Mon 2017-02-13
> > and Tue 2017-02-14.
> >
> > Gerv
>

Kurt Roeckx

unread,
Feb 13, 2017, 3:06:02 AM2/13/17
So after reading this, the following auditors aren't trusted by Symantec
anymore:
- E&Y Korea
- E&Y Brazil

The following isn't trusted by Mozilla anymore:
- E&Y Hong Kong

This seems to be a worrying trend to me.


Kurt

Peter Gutmann

unread,
Feb 13, 2017, 3:10:17 AM2/13/17
to [email protected], Kurt Roeckx
Kurt Roeckx via dev-security-policy <[email protected]> writes:

>So after reading this, the following auditors aren't trusted by Symantec
>anymore:
>- E&Y Korea
>- E&Y Brazil
>
>The following isn't trusted by Mozilla anymore:
>- E&Y Hong Kong
>
>This seems to be a worrying trend to me.

It's OK, E&Y have offices in 150 countries, it'll take years to go through
them all.

Peter.

Nick Lamb

unread,
Feb 13, 2017, 4:10:05 AM2/13/17
On Monday, 13 February 2017 09:06:02 UTC, Kurt Roeckx wrote:
> This seems to be a worrying trend to me.

Almost certainly it would be wrong for us to look at these three data points and conclude from them that the main problem is EY itself. Not to say they can't do better, or be a key agent of change, but that I believe it would be an error to spend more than a small amount of effort on that.

Symantec tripped themselves up here by relying on auditors to check something they were in an excellent position to examine for themselves. If local auditors are incompetent or corrupt and do not uncover policy deviations on the ground, such as lack of physical security or use of untrained staff then that is a problem and only improved audits can fix it. But when it came to issuance Symantec chose to examine audit results rather than look at their own systems to determine what was being issued. Likewise for the documentation capture - Symantec could have known months or years ago if CrossCert's validation was inadequate by seeing the evidence captured, rather than relying on the auditors to determine that.

If CrossCert was actually operated by a pair of students from a flat in Amsterdam, but Symantec had been able to achieve confidence that it was adequately validating subject identities and documenting this work correctly it seems to me that the threat to the Web PKI from their deceit is rather modest. Doubtless Symantec would be very unhappy with this purported Korean company, but there wouldn't be bogus certificates out there that should never have been issued, just a bunch of red faces at Symantec.

On the other hand, even if auditors flew in from London and New York and from each of the Big Four professional services networks to examine CrossCert's physical site in Korea and their implementation of policy on the ground, that's worthless if CrossCert are anyway still causing Symantec to issue "test" certificates for example.com and Symantec doesn't even detect it.

However, I recall that for EY Hong Kong I asked Mozilla / Gerv to ensure the head office in London was informed of Mozilla's decision. I would recommend that Symantec should likewise inform the London head office of their decision. Notionally all the Big Four have global policy and consistency of service set from their head offices, and so that's the place to intervene if there really is anything to be done about the problem. Given the poor quality we've seen in the Big Four's multi-billion dollar financial audit work, compared to their success as almost universally the only firms to get any work from large multi-national companies another reason for my saying we shouldn't throw lots of effort at this part of the problem is that success is unlikely.

There is a (disputed) saying in the Web PKI that "Revocation doesn't work". Likewise I would argue, "Audit doesn't work".

Gervase Markham

unread,
Feb 13, 2017, 6:49:16 AM2/13/17
Hi Steve,

On 12/02/17 15:27, Steve Medin wrote:
> A response is now available in Bugzilla 1334377 and directly at:
> https://bugzilla.mozilla.org/attachment.cgi?id=8836487

Thank you for this timely response. Mozilla continues to expect answers
to all reasonable and polite questions posed in our forum, and is happy
that Symantec is taking this approach.

Here are some additional questions, although Mozilla as always reserves
the right to ask more later. Some of my questions may be similar to
those posed by other group participants.

* What criteria are Symantec using to judge whether the validation of a
particular certificate was deficient and needs redoing? Does this
process rely on an assumption that any work logs kept by the RAs are
accurate records of work actually done?

* When you say "Symantec authorized CrossCert to issue certificates from
each of the identified CAs", do you mean all five separate certificates
listed to the left of this answer in the document? Or do you mean the
top list? Or the bottom list? Or something else?

* When the revalidation process is complete, will Symantec be reporting
on how many certificates were unable to be revalidated?

* Further to your third response, can you provide a list of the
certificate fields which CrossCert did or did not have control over, and
whether those fields had Symantec-side validation with compliance
flagging, and whether those flags could be overridden? To show what I am
after, such a list might hypothetically begin:

- notBefore/notAfter: no direct control
- Certificate duration: control, minimum 12 months, maximum 39 months
- Hash algorithm: no control
- Domain name: full control, Symantec-side validation, overrideable
....

* You write: "Further, we have deployed support for, and honor
Certification Authority Authorization across all systems to put control
of authorized CA’s in the hands of customers". This is great news :-)
>From what date has this been true? Can you confirm that CAA checking
applies to all Symantec-owned brands?

* Further to your answer about sampling sizes, what (in Symantec's
experience) normally defines the sample size an auditor will use when
sampling issued certificates during an audit? Is it a fixed number, or
defined by the auditor, the issuer, or a dialogue between the two, or
some other method?

* http://vtn.certisign.com.br/repositorio/politicas/DPC_da_Cert
isign.pdf is dated 2012. BRs section 2 say that the CP and CPS need to
be annually updated. Do we understand that this did not happen in the
case of Certisign?

* Same question for CrossCert.

Gerv

Ryan Sleevi

unread,
Feb 13, 2017, 5:23:01 PM2/13/17
to Gervase Markham, Steve Medin, [email protected]
On Mon, Feb 13, 2017 at 4:48 AM, Gervase Markham via dev-security-policy <
[email protected]> wrote:

> Hi Steve,
>
> On 12/02/17 15:27, Steve Medin wrote:
> > A response is now available in Bugzilla 1334377 and directly at:
> > https://bugzilla.mozilla.org/attachment.cgi?id=8836487
>
> Thank you for this timely response. Mozilla continues to expect answers
> to all reasonable and polite questions posed in our forum, and is happy
> that Symantec is taking this approach.


Indeed Steve, thank you for your continued attention as we try to gain the
information and understanding necessary to determine how best to protect
users from misissued certificates.

I note that Symantec's answer to question 1 in [1] reiterates that, in
Symantec's view, the set of misissuance previously was solely related to a
specific internal tool, and as such, the remediation steps Symantec engaged
in focused on the process and controls related to that tool.

I highlight this because it seems difficult to understand the distinction
between the previous event and this current event, and understanding that
distinction seems relevant to understanding whether the steps Symantec took
previously were reasonable and complete to address this set of issues and
the community trust, as well as understanding the steps Symantec is
proposing or has taken in response to this current set of issues.

In the previous misissuance event, my understanding is that Symantec
asserts that the whole totality of the misissuance was related to a single,
specific tool. Symantec's initial response [2] was to assert that the issue
was limited to rogue actions of a few individuals contrary to Symantec's
policies and procedures. The proposed remediation of this was a termination
of relationship with those specific individuals. However, it was pointed
out by browsers based on a simple cursory examination that such a statement
was not consistent with the data - that the full set of issues were not
identified by Symantec in their initial investigation, and only upon
prompting by Browsers with a specific deadline did Symantec later recognize
the scope of the issues. In recognizing the scope, it was clear that the
issues did not simply relate to the use of a particular tool, but also to
the practices of employees with respect to asserting that things were
correct when they were not. A specific example is that the role of
Validation Specialist - which is tasked with independently reviewing the
certificate request for non-compliance - was designed in such a way that it
could be bypassed or overridden without following the appropriate policies.
These were actions independent of any particular tooling.

These issues were then amplified by the fact that Symantec was failing to
ensure that its policies and practices adhered to the appropriate version
of the Baseline Requirements, and that employees and staff were trained on
the appropriateness of ensuring the appropriate policies were followed,
regardless of the tools being employed.

In response to this issue, Symantec took a series of corrective steps, such
as:
- A comprehensive review of its Policies and Practices to ensure compliance
with the Baseline Requirements, as requested in [3] (and available at [4])
- The establishment of a centralized Compliance team to ensure compliance
across Symantec branded-CAs
- Internal training, which on the basis of [1] appears to have been limited
to a specific tool, rather than to the overall auditable criteria or
policies


In the current misissuance, my understanding is that Symantec asserts that
the totality of the misissuance was related to RAs. Symantec's initial
response to the set of questions posed by Google [5] indicated that " At
this time we do not have evidence that warrants suspension of privileges
granted to any other RA besides CrossCert" in the same message that
provided the CP/CPS for other RAs besides CrossCert, and itself a follow-up
to Symantec's initial response to the Mozilla community, [6], which
acknowledged for the potential of audit issues in the statement "We are
reviewing E&Y’s audit work, including E&Y’s detailed approach to
ascertaining how CrossCert met the required control objectives.". This
appears to be similar to the previous event, in that the proposed
remediation was first a termination of relationship with specific
individuals. However, in Symantec's most recently reply, [1], it seems that
again, on the basis of browser questions from a simple cursory examination
that such a statement was not consistent with the data - that is, that the
full set of issues were not identified by Symantec in their initial
investigation, and only upon prompting by Browsers with a specific deadline
did Symantec later recognize the scope of the issues. In recognizing the
scope, it was clear that the issues did not simply relate to the use of a
particular RA or auditor, but also to the practices of RAs with respect to
asserting things were correct when they were not.

It appears that, similar to the Testing Tool's failure to ensure that
certificates were adhering to the fulsome standards of authentication,
Symantec's newly established compliance team was failing to perform even a
cursory review of the CP, CPS, and audit statements presented - despite
Symantec having found it necessary in that introspective process themselves
in response to [3], as noted above.

Symantec's also stated that, in response to the past misissuance, it
deployed a compliance assessment tool, which functionally serves a role
similar to a Validation Specialist. However, such compliance assessment was
designed in a way that it could be bypassed or overridden without following
appropriate policies.

Further, as acknowledged in [1], even when Symantec noted that at least one
of their RAs had identified specific deficiencies in practice and issuance,
Symantec determined it was not appropriate to notify Root Stores or Mozilla
of a "problem report". In response to the issues identified in Question 8
of [1], Symantec noted that one of their RAs was deficient in response to
its "policies and business practices change in regards to verification
procedures for issuing certificates", and allowed 90 days for the RA to
remediate this. However, it does not appear Symantec took any corrective
action for the period under audit - a year long period - to review any
issued certificates during the period of deficiency. I highlight this
because Mozilla's Policy [7], Item 5, requires such notification to
[email protected], but Symantec acknowledges in Question 9 of [1]
that it failed to do so.

Symantec's proposed remediation for these issues appears to be limited to:
- Suspend the use of RAs for independent validation of domain control and
organizational information


With this background in mind, and the comparisons highlighted, I do hope
Symantec can consider the following questions:
1) Given that the Baseline Requirements require that Symantec accept full
liability and responsibility for all actions by Delegated Third Parties,
can Symantec please provide what were the specific steps and process
Symantec's Compliance Team took in reviewing Registration Authorities prior
to the detection of this misissuance? Specific example questions include:
a) Did Symantec's compliance team independently assess the WebTrust
licensing status of each received audit?
b) Did Symantec's compliance team review the CP and/or CPS of each
Delegated Third Party to independently assert compliance with the STN
CP/CPS?

2) Given that Symantec has noted that RAs bore the capability to override
the results of the compliance tool, can Symantec please provide details
about every certificate Symantec has issued which has had the compliance
check overridden?

3) Symantec noted in [5] that "Each certificate request is screened for BR
compliance failure. Failures are flagged, preventing RA issuance until the
flag is cleared." Can Symantec please confirm that "RA issuance" refers to
the act of Symantec signing a TBSCertificate and producing a signed
certificate, as opposed to any other interpretation, such as Symantec
signed the certificate, but did not provide it to the RA until the flag was
cleared?

4) Was the problematic audit, highlighted in Questions 10 and 11 of [1],
CertSuperior's first audit as a Symantec RA? Stated differently, did
Symantec engage in any business relationship with CertSuperior prior to the
production of [8]?

5) Symantec's initial response to Mozilla, in [6], indicated that Symantec
will be conducting "a review of our delegated RA controls and why we did
not detect this problematic behavior before it was reported to us". What is
the timeline for when this review will be completed and published?

6) Please provide the specific dates that Symantec engaged in a Delegated
Third Party relationship with each of the RAs, so that the community can
independently evaluate the 'scope of the issues' with respect to what
certificates may be affected by the issues Symantec has disclosed.

7) Are there any elements in the above comparison between the past and
present misissuance that Symantec believes are factually incorrect or
unsubstantiated that Symantec would like to address or correct?


More broadly, a set of questions exist for the community to be considering
in evaluating Symantec's present and past responses, such as:
- Whether the community believes Symantec adhered to the appropriate duty
of care to review the CP, CPS, and audit reports produced for RAs, given
Symantec's own experiences through participation in the Mozilla Community
reviewing CP, CPSes, and audit reports of Symantec and other CA
participants, the Mozilla policies related to disclosure of sub-CA's CP,
CPS, and audit reports, and through Symantec's participation in the
CA/Browser Forum, in which audit and audit issues has been a long-standing
topic of discussion.
- Whether the community believes Symantec's compliance team, which failed
to detect these issues that were prominent and easily discovered, has
demonstrated itself as an appropriate compensating control for either the
past or present issues
- Whether the community believes Symantec's statements regarding the scope
of the issues - and the continued expansion of that scope - fully represent
and contain the set of misissued certificates and the set of compliance
issues
- Whether the choice of Symantec to discontinue the use of RAs represents a
sufficient mitigation for the past, existing and issued certificates
- Whether the choice of Symantec to discontinue the use of RAs represents a
sufficient and suitable mitigation for the possibility of future compliance
issues that may be discovered or arise
- What steps Symantec should take to reassure the Mozilla community of its
ability to abide by the letter and the spirit of the Mozilla CA Certificate
Policy if continuing to participate in the Mozilla CA Certificate program
- What steps Mozilla should take regarding Symantec to reassure the Mozilla
community of the appropriateness of continued trust in Symantec issued
certificates, given the past and present issues


[1] https://bug1334377.bmoattachments.org/attachment.cgi?id=8836487
[2] http://archive.is/Ro70U
[3]
https://security.googleblog.com/2015/10/sustaining-digital-certificate-security.html
[4] https://www.symantec.com/page.jsp?id=test-certs-update#
[5] https://bug1334377.bmoattachments.org/attachment.cgi?id=8831933
[6] https://bug1334377.bmoattachments.org/attachment.cgi?id=8831038
[7]
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#inclusion
[8] https://bug1334377.bmoattachments.org/attachment.cgi?id=8831930

Ryan Sleevi

unread,
Feb 17, 2017, 6:23:54 PM2/17/17
to Ryan Sleevi, [email protected], Gervase Markham, Steve Medin
Hi Steve,

Two more question to add to the list which is already pending:

In [1], in response to question 5, Symantec indicated that Certisign was a
WebTrust audited partner RA, with [2] provided as evidence to this fact.
While we discussed the concerns with respect to the audit letter,
specifically in [3], questions 3 - 6, and while Symantec noted that it
would case to accept future EY Brazil audits, I have confirmed with CPA
Canada that at during the 2016 and 2017 periods, EY Brazil was not a
licensed WebTrust practitioner, as indicated at [4].

Given that EY Brazil was not a licensed WebTrust auditor, it appears that
Symantec failed to uphold Section 8.2 of the Baseline Requirements, v1.4.1
[5], namely, that "(For audits conducted in accordance with the WebTrust
standard) licensed by WebTrust", which is a requirement clearly articulated
in Section 8.4 of the Baseline Requirements, namely, that "If the CA is not
using one of the above procedures and the Delegated Third Party is not an
Enterprise RA, then the CA SHALL obtain an audit report, issued under the
auditing standards that underlie the accepted audit schemes found in
Section 8.1, ..."

1) Was Symantec's compliance team involved in the review of Certisign's
audit?
2) Does Symantec agree with the conclusion that, on the basis of this
evidence, Symantec failed to uphold the Baseline Requirements, independent
of any action by a Delegated Third Party?

[1] https://bug1334377.bmoattachments.org/attachment.cgi?id=8831933
[2] https://bug1334377.bmoattachments.org/attachment.cgi?id=8831929
[3] https://bug1334377.bmoattachments.org/attachment.cgi?id=8836487
[4]
http://www.webtrust.org/licensed-webtrust-practitioners-international/item64419.aspx
[5] https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.1.pdf
unread,
Feb 17, 2017, 6:50:31 PM2/17/17
On Friday, February 17, 2017 at 7:23:54 PM UTC-5, Ryan Sleevi wrote:
> I have confirmed with CPA
> Canada that at during the 2016 and 2017 periods, EY Brazil was not a
> licensed WebTrust practitioner, as indicated at [4].
>
> [4]
> http://www.webtrust.org/licensed-webtrust-practitioners-international/item64419.aspx


The footnote at the above makes that a little hard to understand--

"EY refers to a member firm of Ernst & Young Global Limited. Through a license with Ernst & Young Global Limited all EY members are licensed to provide WebTrust for Certification Authorities services."
unread,
Feb 17, 2017, 7:18:02 PM2/17/17

Ryan Sleevi

unread,
Feb 17, 2017, 9:19:06 PM2/17/17
On Fri, Feb 17, 2017 at 5:17 PM, urijah--- via dev-security-policy <
[email protected]> wrote:

> On Friday, February 17, 2017 at 7:50:31 PM UTC-5, [email protected] wrote:
Thanks for highlighting this. Indeed, while confirming the list was up to
date, I had missed the footnote.
The audit was dated 2017/01/24, so the historic status would be irrelevant.
unread,
Feb 17, 2017, 10:07:36 PM2/17/17
Sure. The strange thing to me (and possibly not relevant to this thread) is how both can be true--all E&Y members worldwide are licensed to do WebTrust audits, yet E&Y Brazil was taken *off* the WebTrust list in the latest update.

I think http://www.webtrust.org/licensed-webtrust-practitioners-international/item64419.aspx and https://web-beta.archive.org/web/20160320161225/http://www.webtrust.org/licensed-webtrust-practitions-international/item64419.aspx are possibly intended to be read differently. The old list giving specific named firms (or branches), by country (but saying it is a list of "global practitioners") the new list giving many fewer firms, but the country listing meaning...where they are active? If WebTrust revamped their approach to licensing, it might be good to know why/how and when. (And I don't see anywhere on their site where they discuss how they license auditors at all.)

Steve Medin

unread,
Feb 17, 2017, 10:33:47 PM2/17/17
Our third response to questions, including these two below, is posted at Bugzilla, and directly at https://bug1334377.bmoattachments.org/attachment.cgi?id=8838825.





From: Ryan Sleevi [mailto:[email protected]]
Sent: Friday, February 17, 2017 6:54 PM
To: Ryan Sleevi <[email protected]>
Cc: Gervase Markham <[email protected]>; [email protected]; Steve Medin <[email protected]>
Subject: Re: Misissued/Suspicious Symantec Certificates



Hi Steve,



Two more question to add to the list which is already pending:



In [1], in response to question 5, Symantec indicated that Certisign was a WebTrust audited partner RA, with [2] provided as evidence to this fact. While we discussed the concerns with respect to the audit letter, specifically in [3], questions 3 - 6, and while Symantec noted that it would case to accept future EY Brazil audits, I have confirmed with CPA Canada that at during the 2016 and 2017 periods, EY Brazil was not a licensed WebTrust practitioner, as indicated at [4].



Given that EY Brazil was not a licensed WebTrust auditor, it appears that Symantec failed to uphold Section 8.2 of the Baseline Requirements, v1.4.1 [5], namely, that "(For audits conducted in accordance with the WebTrust standard) licensed by WebTrust", which is a requirement clearly articulated in Section 8.4 of the Baseline Requirements, namely, that "If the CA is not using one of the above procedures and the Delegated Third Party is not an Enterprise RA, then the CA SHALL obtain an audit report, issued under the auditing standards that underlie the accepted audit schemes found in Section 8.1, ..."



1) Was Symantec's compliance team involved in the review of Certisign's audit?

2) Does Symantec agree with the conclusion that, on the basis of this evidence, Symantec failed to uphold the Baseline Requirements, independent of any action by a Delegated Third Party?



[1] https://bug1334377.bmoattachments.org/attachment.cgi?id=8831933<https://clicktime.symantec.com/a/1/6wJmuz5H2ktURSIGjev34ZuuQTad1LRVz1nIlADR7XE=?d=EzdV7X-pe5sih3AYTnIMlzBIT3AaPBWIYQF9wd5LbpGrImaYYowG0inKiozTFwfAeJMk8B2dt_4yENjH4IaBlGSfv3Nbn8GMpSPDtntAWmyx8q3PfDYHHU_bDfrHZGtmC5XInqf0-ck-FF9e6SGtIxb23Mc2kGZNy8eGAG1jAT1TAe21ybqhXxIvmlxFXmTHtVMR3YXXvHPdAlcwv8e83_rm24C4_wUeNtE5oJFsBljHikK-4oZ1OAUbs4kCgGUxt8cWaB75e0ZDlR_fb71_91rphEjG44uTwcWMGyYK07gsGTyfvKsUrvka6LTCQoX9d09q2fHeLb5TL3SPWUKa6B9_V5GfWubr-0rIMxR7-kT2QzmMrkTgl2YGGDT-rtrKWSZ_xCOsOuU3sp_ARcYoRPNHR1FUGD8%3D&u=https%3A%2F%2F2.gy-118.workers.dev/%3A443%2Fhttps%2Fbug1334377.bmoattachments.org%2Fattachment.cgi%3Fid%3D8831933>

[2] https://bug1334377.bmoattachments.org/attachment.cgi?id=8831929<https://clicktime.symantec.com/a/1/pfZiLBH0rxpzxfeiB5YSfvWdOjwpHC72M_rUahZJxKQ=?d=EzdV7X-pe5sih3AYTnIMlzBIT3AaPBWIYQF9wd5LbpGrImaYYowG0inKiozTFwfAeJMk8B2dt_4yENjH4IaBlGSfv3Nbn8GMpSPDtntAWmyx8q3PfDYHHU_bDfrHZGtmC5XInqf0-ck-FF9e6SGtIxb23Mc2kGZNy8eGAG1jAT1TAe21ybqhXxIvmlxFXmTHtVMR3YXXvHPdAlcwv8e83_rm24C4_wUeNtE5oJFsBljHikK-4oZ1OAUbs4kCgGUxt8cWaB75e0ZDlR_fb71_91rphEjG44uTwcWMGyYK07gsGTyfvKsUrvka6LTCQoX9d09q2fHeLb5TL3SPWUKa6B9_V5GfWubr-0rIMxR7-kT2QzmMrkTgl2YGGDT-rtrKWSZ_xCOsOuU3sp_ARcYoRPNHR1FUGD8%3D&u=https%3A%2F%2F2.gy-118.workers.dev/%3A443%2Fhttps%2Fbug1334377.bmoattachments.org%2Fattachment.cgi%3Fid%3D8831929>

[3] https://bug1334377.bmoattachments.org/attachment.cgi?id=8836487<https://clicktime.symantec.com/a/1/80dDdC7HC5yMdzxfwRS0saqQ2kS5Tvwuo_kNWaXWLCI=?d=EzdV7X-pe5sih3AYTnIMlzBIT3AaPBWIYQF9wd5LbpGrImaYYowG0inKiozTFwfAeJMk8B2dt_4yENjH4IaBlGSfv3Nbn8GMpSPDtntAWmyx8q3PfDYHHU_bDfrHZGtmC5XInqf0-ck-FF9e6SGtIxb23Mc2kGZNy8eGAG1jAT1TAe21ybqhXxIvmlxFXmTHtVMR3YXXvHPdAlcwv8e83_rm24C4_wUeNtE5oJFsBljHikK-4oZ1OAUbs4kCgGUxt8cWaB75e0ZDlR_fb71_91rphEjG44uTwcWMGyYK07gsGTyfvKsUrvka6LTCQoX9d09q2fHeLb5TL3SPWUKa6B9_V5GfWubr-0rIMxR7-kT2QzmMrkTgl2YGGDT-rtrKWSZ_xCOsOuU3sp_ARcYoRPNHR1FUGD8%3D&u=https%3A%2F%2F2.gy-118.workers.dev/%3A443%2Fhttps%2Fbug1334377.bmoattachments.org%2Fattachment.cgi%3Fid%3D8836487>

[4] http://www.webtrust.org/licensed-webtrust-practitioners-international/item64419.aspx

[5] https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.1.pdf<https://clicktime.symantec.com/a/1/7AUAkdAzUJ1un022RuP_TfjD3UiY12QGLjanVeGgxhk=?d=EzdV7X-pe5sih3AYTnIMlzBIT3AaPBWIYQF9wd5LbpGrImaYYowG0inKiozTFwfAeJMk8B2dt_4yENjH4IaBlGSfv3Nbn8GMpSPDtntAWmyx8q3PfDYHHU_bDfrHZGtmC5XInqf0-ck-FF9e6SGtIxb23Mc2kGZNy8eGAG1jAT1TAe21ybqhXxIvmlxFXmTHtVMR3YXXvHPdAlcwv8e83_rm24C4_wUeNtE5oJFsBljHikK-4oZ1OAUbs4kCgGUxt8cWaB75e0ZDlR_fb71_91rphEjG44uTwcWMGyYK07gsGTyfvKsUrvka6LTCQoX9d09q2fHeLb5TL3SPWUKa6B9_V5GfWubr-0rIMxR7-kT2QzmMrkTgl2YGGDT-rtrKWSZ_xCOsOuU3sp_ARcYoRPNHR1FUGD8%3D&u=https%3A%2F%2F2.gy-118.workers.dev/%3A443%2Fhttps%2Fcabforum.org%2Fwp-content%2Fuploads%2FCA-Browser-Forum-BR-1.4.1.pdf>

Ryan Sleevi

unread,
Feb 22, 2017, 10:33:17 PM2/22/17
to Steve Medin, [email protected], Gervase Markham, [email protected]
Hi Steve,

Thanks for your continued attention to this matter. Your responses open
many new and important questions and which give serious question as to
whether the proposed remediations are sufficient. To keep this short, and
thereby allow Symantec a more rapid response:

1) Please provide the CP, CPS, and Audit Letter(s) used for each RA partner
since the acquisition by Symantec of the VeriSign Trust Services business
in 2010.



On Fri, Feb 17, 2017 at 8:32 PM, Steve Medin via dev-security-policy <
[email protected]> wrote:

> Our third response to questions, including these two below, is posted at
> Bugzilla, and directly at https://bug1334377.
> bmoattachments.org/attachment.cgi?id=8838825.
>
>
>
>
>
> From: Ryan Sleevi [mailto:[email protected]]
> Sent: Friday, February 17, 2017 6:54 PM
> To: Ryan Sleevi <[email protected]>
> Cc: Gervase Markham <[email protected]>; mozilla-dev-security-policy@
> lists.mozilla.org; Steve Medin <[email protected]>
> Subject: Re: Misissued/Suspicious Symantec Certificates
>
>
>

Jeremy Rowley

unread,
Feb 22, 2017, 10:37:36 PM2/22/17
to [email protected], Gervase Markham, [email protected], Steve Medin
Webtrust doesn't have audit criteria for RAs so the audit request may produce interesting results. Or are you asking for the audit statement covering the root that the RA used to issue from? That should all be public in the Mozilla database at this point.

> On Feb 22, 2017, at 8:33 PM, Ryan Sleevi via dev-security-policy <[email protected]> wrote:
>
> Hi Steve,
>
> Thanks for your continued attention to this matter. Your responses open
> many new and important questions and which give serious question as to
> whether the proposed remediations are sufficient. To keep this short, and
> thereby allow Symantec a more rapid response:
>
> 1) Please provide the CP, CPS, and Audit Letter(s) used for each RA partner
> since the acquisition by Symantec of the VeriSign Trust Services business
> in 2010.
>
>
>
> On Fri, Feb 17, 2017 at 8:32 PM, Steve Medin via dev-security-policy <
> [email protected]> wrote:
>
>> Our third response to questions, including these two below, is posted at
>> Bugzilla, and directly at https://bug1334377.
>> bmoattachments.org/attachment.cgi?id=8838825.
>>
>>
>>
>>
>>
>> From: Ryan Sleevi [mailto:[email protected]]
>> Sent: Friday, February 17, 2017 6:54 PM
>> To: Ryan Sleevi <[email protected]>
>> Cc: Gervase Markham <[email protected]>; mozilla-dev-security-policy@
>> lists.mozilla.org; Steve Medin <[email protected]>
>> Subject: Re: Misissued/Suspicious Symantec Certificates
>>
>>
>>

Ryan Sleevi

unread,
Feb 22, 2017, 10:48:41 PM2/22/17
to Jeremy Rowley, [email protected], Gervase Markham, [email protected], Steve Medin
On Wed, Feb 22, 2017 at 8:36 PM, Jeremy Rowley <[email protected]>
wrote:

> Webtrust doesn't have audit criteria for RAs so the audit request may
> produce interesting results. Or are you asking for the audit statement
> covering the root that the RA used to issue from? That should all be public
> in the Mozilla database at this point.


Hi Jeremy,

I believe the previous questions already addressed this, but perhaps I've
misunderstood your concern.

"Webtrust doesn't have audit criteria for RAs so the audit request may
produce interesting results."

Quoting the Baseline Requirements, v.1.4.2 [1] , Section 8.4
"If the CA is not using one of the above procedures and the Delegated Third
Party is not an Enterprise RA, then the
CA SHALL obtain an audit report, issued under the auditing standards that
underlie the accepted audit schemes
found in Section 8.1, that provides an opinion whether the Delegated Third
Party’s performance complies with
either the Delegated Third Party’s practice statement or the CA’s
Certificate Policy and/or Certification Practice
Statement. If the opinion is that the Delegated Third Party does not
comply, then the CA SHALL not allow the
Delegated Third Party to continue performing delegated functions. "

Note that Symantec has already provided this data for the four RA partners
involved for the 2015/2016 (varies) period, at [2]. Specifically, see the
response to Question 5 at [3].

"Or are you asking for the audit statement covering the root that the RA
used to issue from? That should all be public in the Mozilla database at
this point."

Again, referencing Question 5 at [3], and the overall topic of the thread,
no, I am not asking for the audit statement covering the root that the RA
used to issue from. I'm asking for the audit report, issued under the
auditing standards that underlie the accepted audit schemes found in
Section 8.1, that provides an opinion whether the Delegated Third Party's
performance complies with either the Delegated Third Party's practice
statement or the CA's Certificate Policy and/or Certification Practice
Statement.

[1] https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.2.pdf
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1334377
[3] https://bug1334377.bmoattachments.org/attachment.cgi?id=8831933

Jeremy Rowley

unread,
Feb 22, 2017, 11:22:22 PM2/22/17
to [email protected], Gervase Markham, [email protected], Steve Medin
I am aware of the requirements but am interested in seeing how an RA that doesn't have their own issuing cert structures the audit report. It probably looks the same, but I've never seen one (unless that is the case with the previously provided audit report).

On Feb 22, 2017, at 8:48 PM, Ryan Sleevi <[email protected]<mailto:[email protected]>> wrote:

Ryan Sleevi

unread,
Feb 23, 2017, 3:20:22 AM2/23/17
to Jeremy Rowley, [email protected], Gervase Markham, [email protected], Steve Medin
I'm sorry, I'm still a little confused about how to understand your
response.

I can't tell if you're discussing in the abstract - as in, you don't know
how an Delegated Third Party would ever meet that definition, due to the
absence of "auditing standards that underlie the accepted audit schemes
found in Section 8.1" therefore you don't think what Symantec has been
doing since 2010 is permitted by the Baseline Requirements at all, and they
should have stopped five years ago. That implies you read through the links
provided by Symantec so far of the four RAs that they assert were operating
as Delegated Third Parties (which is the only way this could have been
acceptable to begin with), but that you disagree that they're evidence of
compliance with the restrictions on the Delegated Third Parties. Is this
what you meant?

Or if you mean something concrete - that is, that you literally are
interested and curious, without any subtext. In that case, it implies you
may not have checked the links in the message you were replying to yet, and
this was more of an aside, rather than a direct question. If this was the
case, do you think it's reasonably clear the question I'd asked of Steve?

Or am I completely off the mark? I just want to make sure that the question
I asked is clear and unambiguous, as well as making sure I'm not
misunderstanding anything.

On Wed, Feb 22, 2017 at 9:21 PM, Jeremy Rowley <[email protected]>
wrote:

> I am aware of the requirements but am interested in seeing how an RA that
> doesn't have their own issuing cert structures the audit report. It
> probably looks the same, but I've never seen one (unless that is the case
> with the previously provided audit report).
>
> On Feb 22, 2017, at 8:48 PM, Ryan Sleevi <[email protected]> wrote:
>
>
>
> On Wed, Feb 22, 2017 at 8:36 PM, Jeremy Rowley <[email protected]

Ryan Sleevi

unread,
Feb 24, 2017, 6:51:52 PM2/24/17
to Ryan Sleevi, [email protected], Steve Medin, Gervase Markham
On Wed, Feb 22, 2017 at 8:32 PM, Ryan Sleevi <[email protected]> wrote:

> Hi Steve,
>
> Thanks for your continued attention to this matter. Your responses open
> many new and important questions and which give serious question as to
> whether the proposed remediations are sufficient. To keep this short, and
> thereby allow Symantec a more rapid response:
>
> 1) Please provide the CP, CPS, and Audit Letter(s) used for each RA
> partner since the acquisition by Symantec of the VeriSign Trust Services
> business in 2010.
>

Hi Steve,

Have you had the opportunity to review and complete this? This is hopefully
a simple task for your compliance team, given the critical necessity of
maintaining of records, so I'm hoping that you can post within the next
business day.

Regards,
Ryan

Peter Bowen

unread,
Feb 24, 2017, 7:12:43 PM2/24/17
to Ryan Sleevi, [email protected], Gervase Markham, Jeremy Rowley, Steve Medin
"auditing standards that underlie the accepted audit schemes found in
Section 8.1"

This is obviously a error in the BRs. That language is taken from
Section 8.1 and there is no list of schemes in 8.1.

8.4 does have a list of schemes:
1. WebTrust for Certification Authorities v2.0;
2. A national scheme that audits conformance to ETSI TS 102 042/ ETSI
EN 319 411-1;
3. A scheme that audits conformance to ISO 21188:2006; or
4. If a Government CA is required by its Certificate Policy to use a
different internal audit scheme, it MAY use such scheme provided that
the audit either (a) encompasses all requirements of one of the above
schemes or (b) consists of comparable criteria that are available for
public review.

1. is slight problematic as no scheme exists by that name, but "Trust
Service Principles and Criteria for Certification Authorities Version
2.0" does exist, which is what I assume is meant.

If we assume that audit scheme, my understanding is that the "auditing
standards that underlie" the scheme is one of the following (which one
depends on the date of the audit and the licensure of the auditor):
(1) AT sec. 101 from SSAE No. 10/11/12 (AICPA)
(2) AT-C sec. 205 from SSAE No. 18 (AICPA)
(3) Section 5025 (CPA Canada)
(4) CSAE 3000 (CPA Canada)
(5) ISAE 3000 (IFAC)

There should be no lack of auditing standards that underlie the Trust
Service Principles and Criteria for Certification Authorities Version
2.0 audit scheme found in section 8.4.

Thanks,
Peter

Ryan Sleevi

unread,
Feb 28, 2017, 2:04:12 AM2/28/17
to Ryan Sleevi, [email protected], Steve Medin, Gervase Markham
Hi Steve,

I think we would have expected this would be fairly easy to obtain, given
the record keeping requirements and the fact that these were relationships
pre-existing to the Symantec acquisition.

Can you speak to more about why the delay, and when Symantec expects this
information to be available?

Santhan Raj

unread,
Feb 28, 2017, 11:45:19 AM2/28/17
On Friday, February 24, 2017 at 5:12:43 PM UTC-8, Peter Bowen wrote:
> "auditing standards that underlie the accepted audit schemes found in
> Section 8.1"
>
> This is obviously a error in the BRs. That language is taken from
> Section 8.1 and there is no list of schemes in 8.1.
>
> 8.4 does have a list of schemes:
> 1. WebTrust for Certification Authorities v2.0;
> 2. A national scheme that audits conformance to ETSI TS 102 042/ ETSI
> EN 319 411-1;
> 3. A scheme that audits conformance to ISO 21188:2006; or
> 4. If a Government CA is required by its Certificate Policy to use a
> different internal audit scheme, it MAY use such scheme provided that
> the audit either (a) encompasses all requirements of one of the above
> schemes or (b) consists of comparable criteria that are available for
> public review.
>
> 1. is slight problematic as no scheme exists by that name, but "Trust
> Service Principles and Criteria for Certification Authorities Version
> 2.0" does exist, which is what I assume is meant.
>
This is something that should be fixed in the BR and in fact both the audit schemes (WTCA & WTBR) should be listed in Section 8.4 (obviously WTCA by itself doesn't cover all BR requirements, only WTBR does). While your assumption is just, Section 1.6.3 has the following reference, so its hard to tell what the intent is.

WebTrust for Certification Authorities , SSL Baseline with Network Security, Version 2.0, available at
http://www.webtrust.org/homepage‐documents/item79806.pdf.

Martin Heaps

unread,
Mar 1, 2017, 2:22:41 PM3/1/17
On Tuesday, 28 February 2017 17:45:19 UTC, Santhan Raj wrote:

> WebTrust for Certification Authorities , SSL Baseline with Network Security, Version 2.0, available at
> http://www.webtrust.org/homepage‐documents/item79806.pdf.

404 - File or directory not found.

Daniel Boone

unread,
Mar 1, 2017, 3:03:33 PM3/1/17
On 2017-03-01T12:22:32-0800, "Martin Heaps via dev-security-policy"
<[email protected]> wrote:
> On Tuesday, 28 February 2017 17:45:19 UTC, Santhan Raj wrote:
>
> > WebTrust for Certification Authorities , SSL Baseline with Network Security, Version 2.0, available at
> > http://www.webtrust.org/homepage‐documents/item79806.pdf.
>
> 404 - File or directory not found.

http://www.webtrust.org/homepage-documents/item79806.pdf

The U+2010 in the link Santhan Raj posted should have been U+002D.

Steve Medin

unread,
Mar 3, 2017, 3:13:31 PM3/3/17
Our fourth response to questions is posted at Bugzilla, https://bugzilla.mozilla.org/show_bug.cgi?id=1334377.



It includes two attachments at that bug:

https://bugzilla.mozilla.org/attachment.cgi?id=8843448

https://bugzilla.mozilla.org/attachment.cgi?id=8843449





From: Ryan Sleevi [mailto:[email protected]]
Sent: Wednesday, February 22, 2017 11:33 PM
To: Steve Medin <[email protected]>
Cc: [email protected]; [email protected]; Gervase Markham <[email protected]>
Subject: Re: Misissued/Suspicious Symantec Certificates



Hi Steve,



Thanks for your continued attention to this matter. Your responses open many new and important questions and which give serious question as to whether the proposed remediations are sufficient. To keep this short, and thereby allow Symantec a more rapid response:



1) Please provide the CP, CPS, and Audit Letter(s) used for each RA partner since the acquisition by Symantec of the VeriSign Trust Services business in 2010.







On Fri, Feb 17, 2017 at 8:32 PM, Steve Medin via dev-security-policy <[email protected]<mailto:[email protected]>> wrote:

Our third response to questions, including these two below, is posted at Bugzilla, and directly at https://bug1334377.bmoattachments.org/attachment.cgi?id=8838825<https://clicktime.symantec.com/a/1/maIs7jXt0tqwnz1Jx0AxZjkA8GILUQI09uuEhZICWEQ=?d=7ylIQcW9MI3sm23dlF9kH0iQJbyD55FBGhRKwcFXib_4hIAJwQhgd3_24qB0coAv-SdkMKlUr1dYe3ULlJgm969yhZKu4ZLoTqyM3AhvyrmRjBijxx3oSZPweXl_MrKyswyJA1YgFpcKGlUTjUSxotLtqPMZn4tj-_2nsHC7tdtHzA9HmVLZRFXR2Ty6fDlHgYxN5haET45fGSzWiPA8P-VLtfS-ypJqHrmea4f-tKogptm9DGWQ3s-zZjo7FB1wGZL29RK8Xht9YbsSKN7HoJ0DcrJCTqWKwAapOYXopyC1Pf6hUe049AYjSS_wYcu7YAYcbfx2aEyndOFglqSVO7862-3Ny98IiKnskPeYE4pqtE1wHuEAeXC4OopLbVI1LP28GRXPjy8GPSImqgPdjyvD-hmSUJJt&u=https%3A%2F%2F2.gy-118.workers.dev/%3A443%2Fhttps%2Fbug1334377.bmoattachments.org%2Fattachment.cgi%3Fid%3D8838825>.





From: Ryan Sleevi [mailto:[email protected]<mailto:[email protected]>]
Sent: Friday, February 17, 2017 6:54 PM
To: Ryan Sleevi <[email protected]<mailto:[email protected]>>
Cc: Gervase Markham <[email protected]<mailto:[email protected]>>; [email protected]<mailto:[email protected]>; Steve Medin <[email protected]<mailto:[email protected]>>
Subject: Re: Misissued/Suspicious Symantec Certificates



Hi Steve,



Two more question to add to the list which is already pending:



In [1], in response to question 5, Symantec indicated that Certisign was a WebTrust audited partner RA, with [2] provided as evidence to this fact. While we discussed the concerns with respect to the audit letter, specifically in [3], questions 3 - 6, and while Symantec noted that it would case to accept future EY Brazil audits, I have confirmed with CPA Canada that at during the 2016 and 2017 periods, EY Brazil was not a licensed WebTrust practitioner, as indicated at [4].



Given that EY Brazil was not a licensed WebTrust auditor, it appears that Symantec failed to uphold Section 8.2 of the Baseline Requirements, v1.4.1 [5], namely, that "(For audits conducted in accordance with the WebTrust standard) licensed by WebTrust", which is a requirement clearly articulated in Section 8.4 of the Baseline Requirements, namely, that "If the CA is not using one of the above procedures and the Delegated Third Party is not an Enterprise RA, then the CA SHALL obtain an audit report, issued under the auditing standards that underlie the accepted audit schemes found in Section 8.1, ..."



1) Was Symantec's compliance team involved in the review of Certisign's audit?

2) Does Symantec agree with the conclusion that, on the basis of this evidence, Symantec failed to uphold the Baseline Requirements, independent of any action by a Delegated Third Party?



[1] https://bug1334377.bmoattachments.org/attachment.cgi?id=8831933<https://clicktime.symantec.com/a/1/vG4MDB3hNsGYUc24ZpW7pdrPIan-c_b-D8RRJ1NfRP4=?d=7ylIQcW9MI3sm23dlF9kH0iQJbyD55FBGhRKwcFXib_4hIAJwQhgd3_24qB0coAv-SdkMKlUr1dYe3ULlJgm969yhZKu4ZLoTqyM3AhvyrmRjBijxx3oSZPweXl_MrKyswyJA1YgFpcKGlUTjUSxotLtqPMZn4tj-_2nsHC7tdtHzA9HmVLZRFXR2Ty6fDlHgYxN5haET45fGSzWiPA8P-VLtfS-ypJqHrmea4f-tKogptm9DGWQ3s-zZjo7FB1wGZL29RK8Xht9YbsSKN7HoJ0DcrJCTqWKwAapOYXopyC1Pf6hUe049AYjSS_wYcu7YAYcbfx2aEyndOFglqSVO7862-3Ny98IiKnskPeYE4pqtE1wHuEAeXC4OopLbVI1LP28GRXPjy8GPSImqgPdjyvD-hmSUJJt&u=https%3A%2F%2F2.gy-118.workers.dev/%3A443%2Fhttps%2Fbug1334377.bmoattachments.org%2Fattachment.cgi%3Fid%3D8831933><https://clicktime.symantec.com/a/1/6wJmuz5H2ktURSIGjev34ZuuQTad1LRVz1nIlADR7XE=?d=EzdV7X-pe5sih3AYTnIMlzBIT3AaPBWIYQF9wd5LbpGrImaYYowG0inKiozTFwfAeJMk8B2dt_4yENjH4IaBlGSfv3Nbn8GMpSPDtntAWmyx8q3PfDYHHU_bDfrHZGtmC5XInqf0-ck-FF9e6SGtIxb23Mc2kGZNy8eGAG1jAT1TAe21ybqhXxIvmlxFXmTHtVMR3YXXvHPdAlcwv8e83_rm24C4_wUeNtE5oJFsBljHikK-4oZ1OAUbs4kCgGUxt8cWaB75e0ZDlR_fb71_91rphEjG44uTwcWMGyYK07gsGTyfvKsUrvka6LTCQoX9d09q2fHeLb5TL3SPWUKa6B9_V5GfWubr-0rIMxR7-kT2QzmMrkTgl2YGGDT-rtrKWSZ_xCOsOuU3sp_ARcYoRPNHR1FUGD8%3D&u=https%3A%2F%2F2.gy-118.workers.dev/%3A443%2Fhttps%2Fbug1334377.bmoattachments.org%2Fattachment.cgi%3Fid%3D8831933>

[2] https://bug1334377.bmoattachments.org/attachment.cgi?id=8831929<https://clicktime.symantec.com/a/1/Co8ZRcNA5WX7mrzL3wgY5QAejUiQtttlSJB2E60z1RQ=?d=7ylIQcW9MI3sm23dlF9kH0iQJbyD55FBGhRKwcFXib_4hIAJwQhgd3_24qB0coAv-SdkMKlUr1dYe3ULlJgm969yhZKu4ZLoTqyM3AhvyrmRjBijxx3oSZPweXl_MrKyswyJA1YgFpcKGlUTjUSxotLtqPMZn4tj-_2nsHC7tdtHzA9HmVLZRFXR2Ty6fDlHgYxN5haET45fGSzWiPA8P-VLtfS-ypJqHrmea4f-tKogptm9DGWQ3s-zZjo7FB1wGZL29RK8Xht9YbsSKN7HoJ0DcrJCTqWKwAapOYXopyC1Pf6hUe049AYjSS_wYcu7YAYcbfx2aEyndOFglqSVO7862-3Ny98IiKnskPeYE4pqtE1wHuEAeXC4OopLbVI1LP28GRXPjy8GPSImqgPdjyvD-hmSUJJt&u=https%3A%2F%2F2.gy-118.workers.dev/%3A443%2Fhttps%2Fbug1334377.bmoattachments.org%2Fattachment.cgi%3Fid%3D8831929><https://clicktime.symantec.com/a/1/pfZiLBH0rxpzxfeiB5YSfvWdOjwpHC72M_rUahZJxKQ=?d=EzdV7X-pe5sih3AYTnIMlzBIT3AaPBWIYQF9wd5LbpGrImaYYowG0inKiozTFwfAeJMk8B2dt_4yENjH4IaBlGSfv3Nbn8GMpSPDtntAWmyx8q3PfDYHHU_bDfrHZGtmC5XInqf0-ck-FF9e6SGtIxb23Mc2kGZNy8eGAG1jAT1TAe21ybqhXxIvmlxFXmTHtVMR3YXXvHPdAlcwv8e83_rm24C4_wUeNtE5oJFsBljHikK-4oZ1OAUbs4kCgGUxt8cWaB75e0ZDlR_fb71_91rphEjG44uTwcWMGyYK07gsGTyfvKsUrvka6LTCQoX9d09q2fHeLb5TL3SPWUKa6B9_V5GfWubr-0rIMxR7-kT2QzmMrkTgl2YGGDT-rtrKWSZ_xCOsOuU3sp_ARcYoRPNHR1FUGD8%3D&u=https%3A%2F%2F2.gy-118.workers.dev/%3A443%2Fhttps%2Fbug1334377.bmoattachments.org%2Fattachment.cgi%3Fid%3D8831929>

[3] https://bug1334377.bmoattachments.org/attachment.cgi?id=8836487<https://clicktime.symantec.com/a/1/qzBrc0JUrrA2x3M0TM0G0hDZl4Mw5BjUIARUiy9xfgM=?d=7ylIQcW9MI3sm23dlF9kH0iQJbyD55FBGhRKwcFXib_4hIAJwQhgd3_24qB0coAv-SdkMKlUr1dYe3ULlJgm969yhZKu4ZLoTqyM3AhvyrmRjBijxx3oSZPweXl_MrKyswyJA1YgFpcKGlUTjUSxotLtqPMZn4tj-_2nsHC7tdtHzA9HmVLZRFXR2Ty6fDlHgYxN5haET45fGSzWiPA8P-VLtfS-ypJqHrmea4f-tKogptm9DGWQ3s-zZjo7FB1wGZL29RK8Xht9YbsSKN7HoJ0DcrJCTqWKwAapOYXopyC1Pf6hUe049AYjSS_wYcu7YAYcbfx2aEyndOFglqSVO7862-3Ny98IiKnskPeYE4pqtE1wHuEAeXC4OopLbVI1LP28GRXPjy8GPSImqgPdjyvD-hmSUJJt&u=https%3A%2F%2F2.gy-118.workers.dev/%3A443%2Fhttps%2Fbug1334377.bmoattachments.org%2Fattachment.cgi%3Fid%3D8836487><https://clicktime.symantec.com/a/1/80dDdC7HC5yMdzxfwRS0saqQ2kS5Tvwuo_kNWaXWLCI=?d=EzdV7X-pe5sih3AYTnIMlzBIT3AaPBWIYQF9wd5LbpGrImaYYowG0inKiozTFwfAeJMk8B2dt_4yENjH4IaBlGSfv3Nbn8GMpSPDtntAWmyx8q3PfDYHHU_bDfrHZGtmC5XInqf0-ck-FF9e6SGtIxb23Mc2kGZNy8eGAG1jAT1TAe21ybqhXxIvmlxFXmTHtVMR3YXXvHPdAlcwv8e83_rm24C4_wUeNtE5oJFsBljHikK-4oZ1OAUbs4kCgGUxt8cWaB75e0ZDlR_fb71_91rphEjG44uTwcWMGyYK07gsGTyfvKsUrvka6LTCQoX9d09q2fHeLb5TL3SPWUKa6B9_V5GfWubr-0rIMxR7-kT2QzmMrkTgl2YGGDT-rtrKWSZ_xCOsOuU3sp_ARcYoRPNHR1FUGD8%3D&u=https%3A%2F%2F2.gy-118.workers.dev/%3A443%2Fhttps%2Fbug1334377.bmoattachments.org%2Fattachment.cgi%3Fid%3D8836487>

[4] http://www.webtrust.org/licensed-webtrust-practitioners-international/item64419.aspx

[5] https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.1.pdf<https://clicktime.symantec.com/a/1/L6psBNZ-UXLAKLVgVk9O_5t6JV9qi4unxaZUvPpURyI=?d=7ylIQcW9MI3sm23dlF9kH0iQJbyD55FBGhRKwcFXib_4hIAJwQhgd3_24qB0coAv-SdkMKlUr1dYe3ULlJgm969yhZKu4ZLoTqyM3AhvyrmRjBijxx3oSZPweXl_MrKyswyJA1YgFpcKGlUTjUSxotLtqPMZn4tj-_2nsHC7tdtHzA9HmVLZRFXR2Ty6fDlHgYxN5haET45fGSzWiPA8P-VLtfS-ypJqHrmea4f-tKogptm9DGWQ3s-zZjo7FB1wGZL29RK8Xht9YbsSKN7HoJ0DcrJCTqWKwAapOYXopyC1Pf6hUe049AYjSS_wYcu7YAYcbfx2aEyndOFglqSVO7862-3Ny98IiKnskPeYE4pqtE1wHuEAeXC4OopLbVI1LP28GRXPjy8GPSImqgPdjyvD-hmSUJJt&u=https%3A%2F%2F2.gy-118.workers.dev/%3A443%2Fhttps%2Fcabforum.org%2Fwp-content%2Fuploads%2FCA-Browser-Forum-BR-1.4.1.pdf><https://clicktime.symantec.com/a/1/7AUAkdAzUJ1un022RuP_TfjD3UiY12QGLjanVeGgxhk=?d=EzdV7X-pe5sih3AYTnIMlzBIT3AaPBWIYQF9wd5LbpGrImaYYowG0inKiozTFwfAeJMk8B2dt_4yENjH4IaBlGSfv3Nbn8GMpSPDtntAWmyx8q3PfDYHHU_bDfrHZGtmC5XInqf0-ck-FF9e6SGtIxb23Mc2kGZNy8eGAG1jAT1TAe21ybqhXxIvmlxFXmTHtVMR3YXXvHPdAlcwv8e83_rm24C4_wUeNtE5oJFsBljHikK-4oZ1OAUbs4kCgGUxt8cWaB75e0ZDlR_fb71_91rphEjG44uTwcWMGyYK07gsGTyfvKsUrvka6LTCQoX9d09q2fHeLb5TL3SPWUKa6B9_V5GfWubr-0rIMxR7-kT2QzmMrkTgl2YGGDT-rtrKWSZ_xCOsOuU3sp_ARcYoRPNHR1FUGD8%3D&u=https%3A%2F%2F2.gy-118.workers.dev/%3A443%2Fhttps%2Fcabforum.org%2Fwp-content%2Fuploads%2FCA-Browser-Forum-BR-1.4.1.pdf>


_______________________________________________
dev-security-policy mailing list
[email protected]<mailto:[email protected]>
https://lists.mozilla.org/listinfo/dev-security-policy



0 new messages